MySQL /register
#1

I made a lil /register command based on mysql system , it was working fine but suddenly now when someone /register lol , what shows in the database is "username : ol" password : "lol" so any ideas how to fix it :S?

Код:
dcmd_register(playerid, params[])
{
	new pName[MAX_PLAYER_NAME];
	GetPlayerName(playerid,pName,MAX_PLAYER_NAME);
	new password;
	new Query[128];
	format(Query, sizeof(Query), "SELECT * FROM `users` WHERE `username` = '%s'",pName);
	mysql_query(Query);
	mysql_store_result();
	if(mysql_num_rows()) return SendClientMessage(playerid,COLOR_TEST,"This Account Is Already Registered");
	else if(sscanf(params,"s",password)) return SendClientMessage(playerid,COLOR_TEST,"Usage: /register [Password]");
	else
	{
		new query[128],string[128];
		format(query, sizeof(query), "INSERT INTO `users` (`username`, `password`, `score`, `money`) VALUES ('%s', '%s', '%s', '%s')", pName, password,GetPlayerScore(playerid),GetPlayerMoney(playerid));
  		mysql_query(query);
		format(string,128,"You're Now Registered , Password: %s , Now Please /Login",password);
		SendClientMessage(playerid,COLOR_TEST,string);
		SetPVarInt(playerid,"Registered",1);
	}
	return 1;
}
Reply
#2

pawn Код:
new password[64];
pawn Код:
format(query, sizeof(query), "INSERT INTO `users` (`username`, `password`, `score`, `money`) VALUES ('%s', '%s', '%d', '%d')", pName, password,GetPlayerScore(playerid),GetPlayerMoney(playerid));
Reply
#3

Auch. Unless you don't want your database deleted/abused use mysql_real_escape_string().
Reply
#4

i am actually new to mysql but what mysql_real_escape_string() for and how to use it??
Reply
#5

Quote:
Originally Posted by aircombat
Посмотреть сообщение
i am actually new to mysql but what mysql_real_escape_string() for and how to use it??
Escapes special characters to prevent SQL injection.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)