Quote:
Originally Posted by Chump
Why is the player's name being escaped? It's completely unnecessary.
Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.
|
That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database.
Basic idea behind it: NEVER trust any player.
Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday.
Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.
If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this.
But you are right by suggesting to increase the size of the query variable.
Since it's not shown in the code, we can only guess the variable is too small.
Some good advice:
When you register a new player account, you should have a column that identifies every player with a unique ID.
That column can be called "UserID" and should have "Primary key" and auto-increment in the settings.
Only when connecting, you should find the player's name in the database and load his UserID.
During every action later on in the database, you should use the UserID as it's only an integer.
Mysql works alot faster when searching for integer values instead of entire strings like playernames.
It increases your overal mysql performance.
For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.