Hi There.
I'm writing my own real-time statistics for CS. I need to insert player name in database, so I'm doing this:
PHP Code:
format(sql_query,511,"SELECT * FROM `stats` WHERE `nick`='%s';", name)
new Handle:Query = SQL_PrepareQuery(SqlConnection,sql_query)
if(!SQL_Execute(Query)) {
SQL_QueryError(Query,g_Error,511)
server_print("* SQL Error: %s",g_Error)
}
if (SQL_NumResults(Query) == 0) {
format(sql_query,511,"INSERT `stats` (`nick`) VALUES ('%s');",name)
new Handle:Query2 = SQL_PrepareQuery(SqlConnection,sql_query)
if(!SQL_Execute(Query2)) {
SQL_QueryError(Query2,g_Error,511)
server_print("* SQL Error: %s",g_Error)
}
SQL_FreeHandle(Query2)
}
SQL_FreeHandle(Query)
But if in player nick there are some special chars like " or ' or ` - query will fail and server can be hacked.
Replacing these chars to "_" or something is not good idea, because I need to store in DB real nickname. Also I can replace these symbols to {qout} {dblqout} {otherquot} and restore them.
Is there another way to insert in database " ' ` ?
My idea:
PHP Code:
replace(nick, 32, "'", "\'")
replace(nick, 32, "`", "\`")
replace(nick, 32, "^"", "[slash here]^"")
Will it works fine? Any suggestions?