[Aa12]

Код:

mysql_format(mysql, query, sizeof(query),"UPDATE `accounts` SET `Veh`=1 WHERE `Name` = '%e'" ,PlayerNameGet(playerid));
mysql_tquery(mysql, query, "", "");
printf("%s", query);
printf("%s", PlayerNameGet(playerid));

what I get printed

UPDATE `accounts` SET `Veh`=1 WHERE `Name` = ''
myname

as you probably already understood, problem is that I can't format player name with mysql_format

[Aa12]

my PlayerNameGet function btw

stock PlayerNameGet(playerid)
{
new pName[MAX_PLAYER_NAME];
GetPlayerName(playerid, pName, MAX_PLAYER_NAME);
return pName;
}

[LocMax]

Where do you format that query?

[Chump]

Why is the player's name being escaped? It's completely unnecessary.

Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

[AmigaBlizzard]

Quote:

Originally Posted by Chump Why is the player's name being escaped? It's completely unnecessary. Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database.
Basic idea behind it: NEVER trust any player.
Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday.

Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.

If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this.

But you are right by suggesting to increase the size of the query variable.
Since it's not shown in the code, we can only guess the variable is too small.



Some good advice:
When you register a new player account, you should have a column that identifies every player with a unique ID.
That column can be called "UserID" and should have "Primary key" and auto-increment in the settings.

Only when connecting, you should find the player's name in the database and load his UserID.
During every action later on in the database, you should use the UserID as it's only an integer.
Mysql works alot faster when searching for integer values instead of entire strings like playernames.

It increases your overal mysql performance.
For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.

[Chump]

Quote:

Originally Posted by AmigaBlizzard Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in. It's not a regular name you would see everyday, but it does the trick in messing up your server.

Good point, but SA-MP doesn't allow spaces, semi-colons, or singular quotes in player names, making it impossible for SQL injection to happen from that alone. Only alphanumerical characters and certain symbols ([ ], ( ), =, @, _, etc.) are allowed. Everything else inputted by players should be escaped though.

[Aa12]

Quote:

Originally Posted by Chump Why is the player's name being escaped? It's completely unnecessary. Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

When I use %s instead of '%e' it prints player name right but It doesn't save info.
query size is [200]. I think that's enough

Quote:

Originally Posted by AmigaBlizzard That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database. Basic idea behind it: NEVER trust any player. Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday. Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in. It's not a regular name you would see everyday, but it does the trick in messing up your server. If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this. But you are right by suggesting to increase the size of the query variable. Since it's not shown in the code, we can only guess the variable is too small. Some good advice: When you register a new player account, you should have a column that identifies every player with a unique ID. That column can be called "UserID" and should have "Primary key" and auto-increment in the settings. Only when connecting, you should find the player's name in the database and load his UserID. During every action later on in the database, you should use the UserID as it's only an integer. Mysql works alot faster when searching for integer values instead of entire strings like playernames. It increases your overal mysql performance. For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.

Код:

public OnPlayerConnect(playerid)
{
new query[200];
mysql_format(mysql, query, sizeof(query), "SELECT * FROM `accounts` WHERE `Name` = '%e'", PlayerNameGet(playerid));
print(query);
	return 1;
}

what I get printed when I connect

Код:

SELECT * FROM `accounts` WHERE `Name` = ''

I have connected with account that is already saved in database

Also the thing about escaping. I don't really know what it is but if using '%e' does "escape" thing I guess I'm good right? (Well at least until I learn how to make this code work)

[Aa12]

Problem solved in a strange way : I just copied my whole gamemode code, created new pawn document, pasted my code there, compiled and ran that gamemode - everything worked fine.