mysql escape string

JocAnis · **Author**

hello. i want to store player's nickname into mysql database, but with doing escape string, im thinking of using:

Code:

new name[ 32 ]
SQL_PrepareQuery( name, name, 32 * 2 )

...

stock SQL_PrepareString( const source[], dest[], len )
{
	copy( dest, len, source )
	replace_all( dest, len, "\\", "\\\\" )
	replace_all( dest, len, "\0", "\\0" )
	replace_all( dest, len, "\n", "\\n" )
	replace_all( dest, len, "\r", "\\r" )
	replace_all( dest, len, "\x1a", "\Z" )
	replace_all( dest, len, "'", "\'" )
	replace_all( dest, len, "^"", "\^"" )
}

Also i saw code (and used once, but im still confused how efficient is that function) for other 'method':

Code:

new name[ 32 ], escName[ 64 ]
SQL_QuoteString( Empty_Handle, escName, charsmax( escName ), name )

then use escName for query input

What would be the best solution to use, with having in mind connected nickname should be equal from mysql (like doing reversed escape nickname?) ? Thanks in advace!

CrazY. · 02-19-2021 , 09:35 Re: mysql escape string

SQL_QuoteString calls mysql_real_escape_string, should be safe.

Code:

int MysqlDatabase::QuoteString(const char *str, char buffer[], size_t maxlen, size_t *newsize)
{
	unsigned long size = static_cast<unsigned long>(strlen(str));
	unsigned long needed = size*2 + 1;

	if (maxlen < needed)
	{
		return (int)needed;
	}

	needed = mysql_real_escape_string(m_pMysql, buffer, str, size);
	if (newsize)
	{
		*newsize = static_cast<size_t>(needed);
	}

	return 0;
}

https://github.com/alliedmodders/amx...tabase.cpp#L80

JocAnis · 02-19-2021 , 10:10 Re: mysql escape string

Oh nice. Thank you very much! I guess its Solved