[aircombat]

I made a lil /register command based on mysql system , it was working fine but suddenly now when someone /register lol , what shows in the database is "username : ol" password : "lol" so any ideas how to fix it :S?

Код:

dcmd_register(playerid, params[])
{
	new pName[MAX_PLAYER_NAME];
	GetPlayerName(playerid,pName,MAX_PLAYER_NAME);
	new password;
	new Query[128];
	format(Query, sizeof(Query), "SELECT * FROM `users` WHERE `username` = '%s'",pName);
	mysql_query(Query);
	mysql_store_result();
	if(mysql_num_rows()) return SendClientMessage(playerid,COLOR_TEST,"This Account Is Already Registered");
	else if(sscanf(params,"s",password)) return SendClientMessage(playerid,COLOR_TEST,"Usage: /register [Password]");
	else
	{
		new query[128],string[128];
		format(query, sizeof(query), "INSERT INTO `users` (`username`, `password`, `score`, `money`) VALUES ('%s', '%s', '%s', '%s')", pName, password,GetPlayerScore(playerid),GetPlayerMoney(playerid));
  		mysql_query(query);
		format(string,128,"You're Now Registered , Password: %s , Now Please /Login",password);
		SendClientMessage(playerid,COLOR_TEST,string);
		SetPVarInt(playerid,"Registered",1);
	}
	return 1;
}

[MadeMan]

pawn Код:

new password[64];

pawn Код:

format(query, sizeof(query), "INSERT INTO `users` (`username`, `password`, `score`, `money`) VALUES ('%s', '%s', '%d', '%d')", pName, password,GetPlayerScore(playerid),GetPlayerMoney(playerid));

[_rAped]

Auch. Unless you don't want your database deleted/abused use mysql_real_escape_string().

[aircombat]

i am actually new to mysql but what mysql_real_escape_string() for and how to use it??

[Calgon]

Quote:

Originally Posted by aircombat i am actually new to mysql but what mysql_real_escape_string() for and how to use it??

Escapes special characters to prevent SQL injection.