[Nin9r]

How to escape a string corectly?

HTML Code:

mysql_real_escape_string(aString, aString);
	format(szMessage, sizeof(szMessage), "INSERT INTO punsishes (text, playerID) VALUES ('%s', '%d')", aString,PlayerVar[playerid][pInternalID]);
	mysql_tquery(handle,szMessage);

or

HTML Code:

	format(szMessage, sizeof(szMessage), "INSERT INTO punsishes (text, playerID) VALUES ('%s', '%d')", aString,PlayerVar[playerid][pInternalID]);
mysql_real_escape_string(szMessage, szMessage);
	mysql_tquery(handle,szMessage);

[Sime30]

No need for real_escape. Just use '%e' instead of '%s'

[Sjn]

It looks like you are using mysql R33 and above. If so, you don't need to use that function, just use %e specifier for strings in the query format.

https://sampwiki.blast.hk/wiki/MySQL/R33...t_specifiers_2

Quote:

Format strings %e Escapes data directly without the need to call mysql_escape_string() before.

[Nin9r]

Can I use %e instead %d ? Or just instead %s?

And, which of those types is correctly?

[Sjn]

No, you do not need to. Using %d or %i is just fine since they are integer specifiers. %e is a specifier for strings that escapes the data directly.

[Nin9r]

So can I replace this:

HTML Code:

format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%d', playerName = '%s' WHERE playerID = '%d'",
			PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]);
		mysql_tquery(handle,saveQuery);

with it?

HTML Code:

format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%e', playerName = '%e' WHERE playerID = '%e'",
			PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]);
		mysql_tquery(handle,saveQuery);

[Sjn]

As I wrote above, %e can be used for strings ONLY since it's a specifier that escapes the string directly. So you cannot use it for integer values, %d or %i are just fine for ints and they do not need to be escaped at all. Now, its up to you to separate them depending on what type of datas your table contains.

If you are using it for player name, it's fine. If you are using it for admin level, then it's wrong.

[Nin9r]

Understand, thank you ! But, can you tell me which type of those escape methods is ok?

[Sjn]

Well, it's not really needed if you are using the latter version of mysql plugin. But if you want to know, then the first method is correct. Because it first escapes the szString then you import it in the query. If you use second method then you are first sending the query then escaping the string which won't have any escaped string contained.

Keep in mind that %e specifier can only be used with mysql_format.

[Nin9r]

In myql_tformat no? What's the difference between them?

[Stinged]

It's only %e in mysql_format, not format.
If you want to use format, use %q instead.
https://sampwiki.blast.hk/wiki/Format

[Nin9r]

Quote:

Originally Posted by Stinged It's only %e in mysql_format, not format. If you want to use format, use %q instead. https://sampwiki.blast.hk/wiki/Format

I know it, i asked something else.

[Stinged]

Quote:

Originally Posted by Nin9r So can I replace this: Code: format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%e', playerName = '%e' WHERE playerID = '%e'", PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]); mysql_tquery(handle,saveQuery);

Clearly you know...