Hello.
I'm writing a plugin that logs admin activity to a mysql database table.
I have a few problems so far:
I use the client_putinserver and client_disconnect functions to log when somebody joins and leaves.
then inside each one i check to see if the user has admin rights using is_user_admin.
The problem is if someone joins as a simple player and then authenticates as an admin and leaves, i only log the disconnection, so i see someone leaving without joining, same goes if someone joins authed and leaves unauthed, i only see him joining and not leaving, worst case if someone joins unauthed , auths, then changes name and becomes a normal player and leaves, i dont log anything.
So id like to know what i should use to detect when someone gains admin privileges and also when someone loses admin privileges.
One other matter is, when i log the joins/parts the admin's name gets logged, so ppl can have all sorts of names, this is vulerable to sql injection, and id like to prevent that. From what i've seen on php's mysql_real_escape_string function
Code:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
i dont know how to do that in amxx how to escape hex and \n newline stuff
This is so far the code i use to log joins/parts (the client_disconnect is similar, except that i log as "left" instead of "joined") :
Code:
public client_putinserver(id)^
{^
if (is_user_admin(id) && is_user_connected(id))^
{^
new g_admin_joined[513],srv_id[2],admn_name[65],admn_steamid[65],admn_ip[33]^
get_user_name(id,admn_name,64)^
get_user_authid(id,admn_steamid,64)^
get_user_ip(id,admn_ip,32,0)^
replace_all(admn_name,64,"'","\'")^
replace_all(admn_name,64,"^"","\^"")^
replace_all(admn_name,64,";","\;")^
replace_all(admn_name,64,"-","\-")^
replace_all(admn_name,64,"%","\%")^
replace_all(admn_name,64,"_","\_")^
replace_all(admn_name,64,"#","\#")^
get_cvar_string("amx_server_serverid",srv_id,1)^
format(g_admin_joined,512,"INSERT INTO `%s` ( `server_id` , `timestamp` , `admin_name` , `admin_steamid` , `admin_ip
new Handle:queryInsert= SQL_PrepareQuery(connect, "%s",g_admin_joined)^
// server_print("[SQLDEBUG] %s",g_admin_joined)
if (!SQL_Execute(queryInsert))^
{^
SQL_QueryError(queryInsert,error,512)^
server_print("[SQLERROR]: %s",error)^
}^
^
SQL_FreeHandle(queryInsert)^
}^
else return PLUGIN_CONTINUE^
return PLUGIN_CONTINUE
}^