[jaskiller]

hi i want now when i must escape test exemple :

PHP код:

new query[128],name[25];
GetPlayerName(....);
format ( query, sizeof(query), "INSERT INTO players(name,pass) VALUES('%s','%s')"; name, inputtext)
mysql_query(query); 


I must espace only inputtext or name as.??
and another question.:

PHP код:

case DIALOG_LOGIN :
        {
            new query[128],pass[25];
            format(query, sizeof(query), "SELECT pass FROM players WHERE name = '%s'", PlayerName(playerid));
            mysql_query(query);
            mysql_store_result();
            
        } 


how can i read the value of "pass"

[Joe_]

When you use the string placeholder in your query, it's a good idea to use mysql_real_escape to stop injections, so if you have 3 string placeholders, I would make escape all 3 strings to be safe.

You can use mysql_fetch_field to retrieve the value of a field.
You must have selected the player's row and stored the result before you use it.

pawn Код:

format(query, sizeof(query), "SELECT * FROM players WHERE name = '%s'", EscapeString);
mysql_query(query);
mysql_store_result();

pawn Код:

if(mysql_num_rows()) // Check if it found the players row, because if you use mysql_fetch_field on an invalid field, it will crash the plugin.
{
new Password[32];
mysql_fetch_field_row(Password, "pass"); // Stores the value of the pass field, into the string Password.
}

[Sinner]

You use mysql_escape_string() whenever a user must INPUT something and mysql uses this input to run a query with. (So passwords, logins, name changes, ... anything where the user types something in and mysql is involved).

The point of mysql_escape_string() is that nobody can mess with your queries e.g. making them do something they shouldn't do (SQL injection with other words).

[jaskiller]

thx dude's so i dont need to espace the name of player because he don't input it

GetPlayerName(playerid....);?

[Joe_]

I would to be safe, but you don't need to.
There's always somebody trying to do something bad.