Quote:
Originally Posted by ThatKidWhoGames
Database.Format automatically escapes any strings that you want to format into a query. If you want to use the standard Format function for formatting an SQL query, you would have to escape the string first and then format the query. Someone can probably explain this better than I can.
|
Basically, it is really hard to do per-variable escaping correctly.
Taking the simple example of updating a players name stored in a database against a SteamID:
Using Database.Escape correctly looks like this:
PHP Code:
char name[MAX_NAME_LENGTH];
if (!GetClientName(client, name, sizeof(name))) {
return false;
}
int safeNameLen = (strlen(name) * 2) + 1;
char[] safeName = new char[safeNameLen];
db.Escape(name, safeName, safeNameLen);
char steamId[32];
if (!GetClientAuthId(client, AuthId_Steam2, steamId, sizeof(steamId))) {
return false;
}
int safeSteamIdLen = (strlen(steamId) * 2) + 1;
char[] safeSteamId = new char[safeSteamIdLen];
db.Escape(steamId, safeSteamId, safeSteamIdLen);
char buffer[512];
Format(buffer, sizeof(buffer), "UPDATE players SET name = '%s' WHERE steamid = '%s'", safeName, safeSteamId);
db.Query(OnQueryComplete, buffer);
Whereas using Database.Format looks like this:
PHP Code:
char steamId[32];
if (!GetClientAuthId(client, AuthId_Steam2, steamid, sizeof(steamid))) {
return false;
}
char buffer[512];
db.Format(buffer, sizeof(buffer), "UPDATE players SET name = '%N' WHERE steamid = '%s'", client, steamId);
db.Query(OnQueryComplete, buffer);
It is a lot shorter and harder to get wrong.
__________________