Preventing SQL from injection
Hi ppl,
I have one MySQL query: Code:
format(CheckQuery, 254, "SELECT `id` FROM `users` WHERE `nick`='%s' AND `password`='%s'", user_name,password)Code:
01/08/2009 - 21:39:45: [AMXX] Plugin ("sql_vip.amxx") is setting itself as failed. |
Re: Preventing SQL from injection
If you store by their steam id and not their name, you could be guaranteed that this wouldn't happen, unless they set their password to have one of the same characters (which may cause this same odd problem for you), but you can check for that when they try to set a password.
PHP Code:
Output exactly what you're passing into the query using a print_chat or print_console before you run the query, and post exactly what's making it in there. |
Re: Preventing SQL from injection
Yes, i know that, but i need user name to work.
|
Re: Preventing SQL from injection
Code:
format(CheckQuery, 254, "SELECT `id` FROM `users` WHERE `nick`='%s' AND `password`='%s'", user_name,password)Code:
format(CheckQuery, 254, "SELECT id FROM users WHERE nick='%s' AND password='%s'", user_name,password) |
Re: Preventing SQL from injection
I tried to do this:
Code:
replace_all(user_name, 99, "'", "\'")//EDIT: Thease quotes aren't apostrophes, it`s "back quotes". not " ' ", but " ` ". |
Re: Preventing SQL from injection
Odd, but you may still want to remove those apostrophes. Any reason why you have two different kinds of single quotes on your query?
|
Re: Preventing SQL from injection
Try to run query:
Code:
SELECT * FROM db WHERE select='blah';Code:
SELECT * FROM db WHERE `select`='blah'; |
Re: Preventing SQL from injection
Quote:
|
Re: Preventing SQL from injection
I still don't understand how/why you have single quotes on the values and apostrophes on the fields... unless it has something to do with non-American keyboards.
|
Re: Preventing SQL from injection
Quote:
|
| All times are GMT -4. The time now is 09:05. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.