[introzen]

Hello.

Does anyone know why this code doesn't work?

pawn Код:

stock PlayerRegister(playerid, password)
{
    new str[128];
    format(str,sizeof(str),"INSERT INTO users (username, password) VALUES ('%s', md5('%s'))", pName(playerid), password);
    mysql_query(str);
    format(str, sizeof(str),"You have registered as %s on %s.\nPlease confirm your password:",pName(playerid),SERVERNAME);
    ShowPlayerDialog(playerid,DIALOG_LOGIN,1,"Login",str,"Login","Cancel");
}

stock PlayerLogin(playerid, password)
{
    new str[128];
    format(str, sizeof(str),"SELECT * FROM users WHERE username = '%s' AND password = md5('%s')",pName(playerid),password);
    mysql_query(str);
    mysql_store_result();
    if(!mysql_num_rows())
    {
        SendInfoMessage(playerid,"Wrong {a9c4e4}password{ffffff}! Kicked due to security reasons!");
        Kick(playerid);
        mysql_free_result();
        return 1;
    }
    else
    {
        SendInfoMessage(playerid,"Successfully logged in. Welcome back!");
        mysql_free_result();
        return 1;
    }
}

Everytime I try to log in it tells me I got the wrong password.

[[MG]Dimi]

ALL Column and Table names MUST be between ` ` to avoid sql syntax error. Turn mysql_debug(1); and check it out.

[Vince]

That is simply not true. The only time you need to use backticks is when your field name is an SQL keyword. Neither username nor password are reserved words and thus can be used unenclosed. As far as I can see everything seems to be correct, so try printing the queries and results.

[introzen]

Lol for some reason it started working.. didn't do anything with it.

[Skimmer]

You better use mysql_real_escape_string to avoid SQL injection.

[introzen]

Quote:

Originally Posted by Skimmer You better use mysql_real_escape_string to avoid SQL injection.

Where?