[RaZzZzoR]

I have an Account System based on BlueG's MySQL R8 system. I have done everything in phpMyAdmin, i have WAMP and all those stuff.
Everytime i connect, it shows up only the register dialog, that means i don't have any account, even after i type my password and i reconnect.
Here is the dialog function:

Код:

MySQL_Account( playerid , acc[ ] )
{
    new
		rows,
		fields,
		string[ 256 ]
	;

    cache_get_data( rows , fields );
    
	if( !rows )
	{
   		format( string , sizeof( string ) , "{FFFFFF}Welcome, {0537FF}%s {FFFFFF}!\n{FFFFFF}You need to register before playing !" , acc );
		SPD( playerid , Register , PASS , "{FFFFFF}Register" , string , "Register" , "Kick" );
	}
	else if( rows )
	{
		format( string , sizeof( string ) , "{FFFFFF}Welcome back, {0537FF}%s {FFFFFF}!\n{FFFFFF}You need to login before playing." , acc );
	    SPD( playerid , Login, PASS, "{FFFFFF}Login" , string , "Login" , "Cancel" );
	}

	return 1;
}

Here is the function wich loads the player data:

Код:

MySQL_Load_Data( playerid , acc[ ] )
{
    new
		rows,
		fields,
		str[ 256 ]
	;

    cache_get_data( rows , fields );

    if( rows )
	{
		cache_get_row( 0 , 0 , str );
		P_DATA[ playerid ][ SQL_ID ] = strval( str );
		
		cache_get_row( 0 , 3 , str );
		P_DATA[ playerid ][ Admin ]  = strval( str );
	}
	else
	{
		P_DATA[ playerid ][ FailedLogins ] ++ ;

	 	format( str, sizeof( str ),"{FFFFFF}Hey, {0537FF}%s {FFFFFF}!\n{FFFFFF}You have entered the wrong passowrd !\n{FFFFFF}Please, retype your password below but careful because you have just {0537FF}%i {FFFFFF}chanches left !",GetName( playerid ) , 3 - P_DATA[ playerid ][ FailedLogins ]   );
 		SPD( playerid, Login, PASS, "Login", str, "Login", "Exit");

		if( P_DATA[ playerid ][ FailedLogins ] == 3 )
		{
		    format(str,sizeof( str ),"%s {FFFFFF}has been kicked ! [ Reason: {FF0000}Wrong Password {FFFFFF}]", GetName( playerid ) );
		    SendClientMessageToAll( C_B, str );

			new Text[ 30 ];
			format( Text, sizeof( Text ), "{FFFFFF}You have been kicked because you tiped wrong your password for 3 times !" );
			SPD( playerid, PassKick, PASS, "{FF0000}KICKED !", Text, "Ok", "" );
			Kick( playerid );
		}
	}

Can any of you help me to fix it ?

#Sorry for my bad english

[IstuntmanI]

Show us how do you query to check if he is registered. Also, when he registers it's written in database ?

[RaZzZzoR]

pawn Код:

new
        pName[ MAX_PLAYER_NAME ],
        pName1[ MAX_PLAYER_NAME ],
        Query[ 256 ]
    ;

    GetPlayerName( playerid , pName , sizeof( pName ));

    mysql_real_escape_string( pName , pName1 );
    format( Query , sizeof( Query ) , "SELECT Name FROM Users WHERE Name = '%s' LIMIT 0,1" , pName1 );
    mysql_function_query( 1 , Query , true , "MySQL_Account" , "is" , playerid , pName1 );*

[IstuntmanI]

Don't use mysql_real_escape_string on player names, they can't be used for SQL Injection. mysql_real_escape_string must be used only when in a string can be ` or '.

Everything looks ok, it is inserting in the database ? If yes, look if ALL columns are right.

[RaZzZzoR]

It inserts into the database, but again with mysql_real_esape_string, look:

Код:

mysql_real_escape_string( name , name2 );
format( string, sizeof( string ) , "INSERT INTO `Users` (Name,Password,AdminLevel,VipLevel) VALUES('%s', '%s', '%d', '%d')" , name2 , password , 0, 0 );
mysql_function_query( 1 , string , false , "" , "" );

It needs to be deleted ?

[Sithis]

Quote:

Originally Posted by IstuntmanI Don't use mysql_real_escape_string on player names, they can't be used for SQL Injection. mysql_real_escape_string must be used only when in a string can be ` or '. Everything looks ok, it is inserting in the database ? If yes, look if ALL columns are right.

Not true. ANY user input can be used for injection. Rule no. 1 for secure applications: never trust user input.

[IstuntmanI]

Quote:

Originally Posted by Sithis Not true. ANY user input can be used for injection. Rule no. 1 for secure applications: never trust user input.

San Andreas already have filters for names, so you can't use special characters, only 0-9, [, ], a-z, A-Z and a few others, but not SQL Injection characters. So that function is not needed on player names.

@RaZzZzoR: I can't see anything bad in your code then...