[Scuzzy]

Bail,

I've run into a similiar problem with escape characters and player names in SQL. Check the following example:

Code:

public Action:Command_test2(client, args)
{
 decl String:query[255];
 decl String:player_name[50];
 decl String:quoted_query[255];
 
 strcopy(player_name, sizeof(player_name), "Dave //*SmackDown*\\");
 
 PrintToServer("Player Name: %s", player_name);
 Format(query,
  sizeof(query),
  "insert into player_name (steam_id, name) values ('123','%s')", player_name);
 
 PrintToServer("First Query: %s", query);
 
 SQL_QuoteString(g_db, query, player_name, sizeof(player_name));
 
 Format(quoted_query,
  sizeof(quoted_query),
  "insert into player_name (steam_id, name) values ('123','%s')", player_name);
 
 PrintToServer("Second Query: %s", quoted_query);
 
 DoQuery(client, quoted_query);
 
 return Plugin_Handled;
}

If a player comes into the server with a single slash at the end of their name, the formatted query to insert them will fail, because \' is mistaken as a escape character... (or so I assume). I've been stripping "\" slashes out of names to prevent this...

What would you think about a "SQL_CleanString" function that would fix the quote issues and fix the slash problem?

Scuzzy

[BAILOPAN]

I don't understand your code; it doesn't look right though, I think you're quoting the wrong thing. You should call SQL_QuoteString() on the player's name and pass the new string (containing the escaped name) into the final query.

I.e.:

Code:

new String:name[MAX_NAME_LENGTH], String:safe_name[MAX_NAME_LENGTH*2];

GetClientName(client, name, sizeof(name));
SQL_QuoteString(db, name, safe_name, sizeof(safe_name));

Format(query, sizeof(query), "INSERT INTO blah (whatever) VALUES ('%s')", safe_name);

There shouldn't be a need for two functions because the purpose of SQL_QuoteString() is to do all necessary work. So if proper usage is resulting in malfunctioning queries it would be a bug in the driver.

[Scuzzy]

That worked, thanks.

[KaOs]

Bailo,
Why does quotestring need the db ?

[BAILOPAN]

As answered in another thread, if it didn't need the DB it would need the driver, since the driver provides the escaping mechanism. Aside from it being easier to pass the DB than the driver Handle, MySQL uses the character set of the DB to determine the exact escaping mechanism.

[KaOs]

Quote:

Originally Posted by BAILOPAN As answered in another thread, if it didn't need the DB it would need the driver, since the driver provides the escaping mechanism. Aside from it being easier to pass the DB than the driver Handle, MySQL uses the character set of the DB to determine the exact escaping mechanism.

Beautiful answer, thanks.