[arcticx2]

Quote:

Originally Posted by asherkin Basically, it is really hard to do per-variable escaping correctly. Taking the simple example of updating a players name stored in a database against a SteamID: Using Database.Escape correctly looks like this: PHP Code: char name[MAX_NAME_LENGTH]; if (!GetClientName(client, name, sizeof(name))) {   return false; } int safeNameLen = (strlen(name) * 2) + 1; char[] safeName = new char[safeNameLen]; db.Escape(name, safeName, safeNameLen); char steamId[32]; if (!GetClientAuthId(client, AuthId_Steam2, steamId, sizeof(steamId))) {   return false; } int safeSteamIdLen = (strlen(steamId) * 2) + 1; char[] safeSteamId = new char[safeSteamIdLen]; db.Escape(steamId, safeSteamId, safeSteamIdLen); char buffer[512]; Format(buffer, sizeof(buffer), "UPDATE players SET name = '%s' WHERE steamid = '%s'", safeName, safeSteamId); db.Query(OnQueryComplete, buffer);  Whereas using Database.Format looks like this: PHP Code: char steamId[32]; if (!GetClientAuthId(client, AuthId_Steam2, steamid, sizeof(steamid))) {   return false; } char buffer[512]; db.Format(buffer, sizeof(buffer), "UPDATE players SET name = '%N' WHERE steamid = '%s'", client, steamId); db.Query(OnQueryComplete, buffer);  It is a lot shorter and harder to get wrong.

nice explanation asherkin thanks for your post , have some