[SaW_[VrTx]]

Hello..
Here's the script;

pawn Код:

format(query2, 256, "SELECT cash,account,adminlevel,level,experience,upgradepoints,kills,gun1,gun2,gun3,ammo1,ammo2 FROM users WHERE username='%s'", playername2);
    mysql_query(query2);
    mysql_store_result(MySQL_Conn);
    while(mysql_fetch_row_format(result, "|") == 1)
    {
    sscanf(result, "p<|>dddddddddddd",PlayerInfo[playerid][pCash],PlayerInfo[playerid][pAccount],PlayerInfo[playerid][pAdmin],PlayerInfo[playerid][pLevel],PlayerInfo[playerid][pExp],PlayerInfo[playerid][gPupgrade],PlayerInfo[playerid][pKills],PlayerInfo[playerid][pGun1],PlayerInfo[playerid][pGun2],PlayerInfo[playerid][pGun3],PlayerInfo[playerid][pAmmo1],PlayerInfo[playerid][pAmmo2]);
    }
    mysql_free_result(MySQL_Conn);

When player connects to server, Cash and all other stats are automacilly imposed to default (New user). When player logins, his stats are loaded from mysql DB and written to PlayerInfo[..].But here's the bug..

When player connects to server, his cash is 432$ (default, new user)
When player logins, server prints out that his cash is about 100000$ (print was before sscanf)
When sscanf updates PlayerInfo, his money is still 432$ (So do other stats) (format was after sscanf). Every time player logins, his stats are deleted. So sscanf doesn't change PlayerInfo's to new values. Why's that?

[Alby Fire]

pawn Код:

while(mysql_fetch_row(result)) {
    new
        data[12];
    sscanf(result, "p<|>dddddddddddd", data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7],      data[8], data[9], data[10], data[11]);
    PlayerInfo[playerid][pCash] = data[0];
    PlayerInfo[playerid][pAccount] = data[1];
    PlayerInfo[playerid][pAdmin] = data[2];
    PlayerInfo[playerid][pLevel] = data[3];
    PlayerInfo[playerid][pExp] = data[4];
    PlayerInfo[playerid][gPupgrade] = data[5];
    PlayerInfo[playerid][pKills] = data[6];
    PlayerInfo[playerid][pGun1] = data[7];
    PlayerInfo[playerid][pGun2] = data[8];
    PlayerInfo[playerid][pGun3] = data[9];
    PlayerInfo[playerid][pAmmo1] = data[10];
    PlayerInfo[playerid][pAmmo2] = data[11];
}

[Aldo.]

Query was incorrect

pawn Код:

format(query2, 256, "SELECT * FROM users WHERE username='%s'", playername2);
mysql_real_escape_string(query2); // Prevents SQL injection

and add Alby Fire's code to it, should work fine

pawn Код:

while(mysql_fetch_row(result)) {
    new
        data[12];
    sscanf(result, "p<|>dddddddddddd", data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7],      data[8], data[9], data[10], data[11]);
    PlayerInfo[playerid][pCash] = data[0];
    PlayerInfo[playerid][pAccount] = data[1];
    PlayerInfo[playerid][pAdmin] = data[2];
    PlayerInfo[playerid][pLevel] = data[3];
    PlayerInfo[playerid][pExp] = data[4];
    PlayerInfo[playerid][gPupgrade] = data[5];
    PlayerInfo[playerid][pKills] = data[6];
    PlayerInfo[playerid][pGun1] = data[7];
    PlayerInfo[playerid][pGun2] = data[8];
    PlayerInfo[playerid][pGun3] = data[9];
    PlayerInfo[playerid][pAmmo1] = data[10];
    PlayerInfo[playerid][pAmmo2] = data[11];
}

[Alby Fire]

@Aldo I'm not an SQL hero, but I guess the "*" means "all" (as it is for the IP), then executing your query or his one is the same imo.

[[NoV]LaZ]

I can see you're using a variable to store the connection.
One problem that I've noticed, is that you're not assigning that variable to mysql_query and mysql_fetch_row_format.

pawn Код:

mysql_query(query2, -1, -1, MySQL_Conn);
mysql_fetch_row_format(data, "|", MySQL_Conn);

@ Aldo.: You're right, although your example is not too good either, since you're fetching the WHOLE row, data that you might not use. The only flaw in SaW's query is that he is not using ` and ' around field and table names and that might cause incorrect data to be retrieved or even crashing.

EDIT: If you are using the plugin version, use an enum to organize your player variables, so that you could do something like this:

pawn Код:

sscanf(data, "e<p<|>iiiii(data types)>", PlayerInfo[playerid]);

[MadeMan]

You load the cash to PlayerInfo[playerid][pCash] but do you use GivePlayerMoney too?

[JaTochNietDan]

Quote:

Originally Posted by Aldo. Query was incorrect pawn Код: format(query2, 256, "SELECT * FROM users WHERE username='%s'", playername2); mysql_real_escape_string(query2); // Prevents SQL injection

I think you'll find that escaping the entire query is not a form of prevention against SQL injection, but is actually a form of breaking the query, you're not supposed to escape the query, you're supposed to escape values that are being inserted into the query string that are controlled by the player. For example:

pawn Код:

mysql_real_escape_string(playername2,playername2);
format(query2, sizeof(query2), "SELECT * FROM `users` WHERE Username = '%s'", playername2);

This will escape the players name, so any characters that may be used in the name to inject their own code will be escaped, for example, if the players name was

Код:

';DROP *;

it will now become

Код:

\'DROP *;

so the character is escaped, not allowing the person to inject code.

With that said, it's not even possible to inject code using a name, because you can't even play SA-MP with those characters in your nickname.

[SaW_[VrTx]]

edit: Not working.. with Alby's example, pCash is being imposed to 0$, not 432 or any other value.
This is how script looks now: http://pastebin.com/if1kTJ2g

[Raimis_R]

Meybe this work:

pawn Код:

stock MySQLLoadVariables(playerid)
{
    new
        Query[500],
        Name[MAX_PLAYER_NAME]
    ;
    GetPlayerName(playerid,Name,MAX_PLAYER_NAME);
    format(Query,sizeof(Query),"SELECT * FROM `users` WHERE `username` = '%s'",Name);
    mysql_query(Query);
    mysql_store_result();
    
    mysql_fetch_row_format(Query,"|");
    
    sscanf(Query, "p<|>dddddddddddd",PlayerInfo[playerid][pCash],PlayerInfo[playerid][pAccount],PlayerInfo[playerid][pAdmin],PlayerInfo[playerid][pLevel],PlayerInfo[playerid][pExp],PlayerInfo[playerid][gPupgrade],PlayerInfo[playerid][pKills],PlayerInfo[playerid][pGun1],PlayerInfo[playerid][pGun2],PlayerInfo[playerid][pGun3],PlayerInfo[playerid][pAmmo1],PlayerInfo[playerid][pAmmo2]);
    mysql_free_result();
}