AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   Escape MySQL dangerous symbols (https://forums.alliedmods.net/showthread.php?t=197170)

V I R U S 09-29-2012 17:44

Escape MySQL dangerous symbols
 
Hello everybody.

I've created simple SQL logger, to log all chat and actions. Certainly i noticed that few events doesn't appear in MySQL database. The reason of that, was the ' symbol, which acts as delimiter in the insert command.

My part of plugin looks that way
PHP Code:

...
  new 
authid[32], name[32], ip[16
  
get_user_authid(idauthid31)
  
get_user_name(idname31)
  
get_user_ip(idip151)

  new 
currentTime get_systime(0)

  new 
query[1001]
  
format(query1000"INSERT into gamechat VALUES ('','%s','%s','%s','%s','%i','%i','%s')"get_serverPort(), nameauthidipcs_get_user_team(id), currentTimemessage)
... 

I know, that i might replace all ' in VALUES, so that it will not act like delimiter, but then there will be the same problem with " symbol.

Is there a good way to escape "all" dangerous symbols in nicknames and messages before insert statement?

Thanks!

Neeeeeeeeeel.- 09-29-2012 18:46

Re: Escape MySQL dangerous symbols
 
You should use:
PHP Code:

format(query1000"INSERT into gamechat VALUES ('',^"%s^",^"%s^",^"%s^",^"%s^",'%i','%i',^"%s^")"get_serverPort(), nameauthidipcs_get_user_team(id), currentTimemessage

PS: Formatex is faster than format.

V I R U S 09-29-2012 22:14

Re: Escape MySQL dangerous symbols
 
Thanks!


All times are GMT -4. The time now is 08:11.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.