|
Senior Member
|
01-12-2019
, 10:03
Re: Sql Query Insert Problem
|
#9
|
Quote:
Originally Posted by asherkin
Basically, it is really hard to do per-variable escaping correctly.
Taking the simple example of updating a players name stored in a database against a SteamID:
Using Database.Escape correctly looks like this:
PHP Code:
char name[MAX_NAME_LENGTH];
if (!GetClientName(client, name, sizeof(name))) {
return false;
}
int safeNameLen = (strlen(name) * 2) + 1;
char[] safeName = new char[safeNameLen];
db.Escape(name, safeName, safeNameLen);
char steamId[32];
if (!GetClientAuthId(client, AuthId_Steam2, steamId, sizeof(steamId))) {
return false;
}
int safeSteamIdLen = (strlen(steamId) * 2) + 1;
char[] safeSteamId = new char[safeSteamIdLen];
db.Escape(steamId, safeSteamId, safeSteamIdLen);
char buffer[512];
Format(buffer, sizeof(buffer), "UPDATE players SET name = '%s' WHERE steamid = '%s'", safeName, safeSteamId);
db.Query(OnQueryComplete, buffer);
Whereas using Database.Format looks like this:
PHP Code:
char steamId[32];
if (!GetClientAuthId(client, AuthId_Steam2, steamid, sizeof(steamid))) {
return false;
}
char buffer[512];
db.Format(buffer, sizeof(buffer), "UPDATE players SET name = '%N' WHERE steamid = '%s'", client, steamId);
db.Query(OnQueryComplete, buffer);
It is a lot shorter and harder to get wrong.
|
nice explanation asherkin thanks for your post , have some
|
|
|
|