ExecuteSQLQuery: Difference between revisions

From Multi Theft Auto: Wiki
Jump to navigation Jump to search
(New page: __NOTOC__ {{Server function}} This function executes an arbitrary SQL query and returns the result rows if there are any. It allows parameter binding for security (SQL injection is render...)
 
mNo edit summary
Line 6: Line 6:
==Syntax==
==Syntax==
<syntaxhighlight lang="lua">
<syntaxhighlight lang="lua">
table ExecuteSQLQuery(string query [, var param1 [, var param2 ...]])
table executeSQLQuery(string query [, var param1 [, var param2 ...]])
</syntaxhighlight>
</syntaxhighlight>


Line 31: Line 31:
<syntaxhighlight lang="lua">
<syntaxhighlight lang="lua">
function listPlayersWithMoreMoneyThan(thePlayer, command, amount)
function listPlayersWithMoreMoneyThan(thePlayer, command, amount)
     local players = ExecuteSQLQuery("SELECT id, name FROM players WHERE money > ?", tonumber(amount))
     local players = executeSQLQuery("SELECT id, name FROM players WHERE money > ?", tonumber(amount))
     outputConsole("Players with more money than " .. amount .. ":", thePlayer)
     outputConsole("Players with more money than " .. amount .. ":", thePlayer)
     for i, playerdata in ipairs(players) do
     for i, playerdata in ipairs(players) do
Line 46: Line 46:
<syntaxhighlight lang="lua">
<syntaxhighlight lang="lua">
function showPlayerMoney(thePlayer, command, playerName)
function showPlayerMoney(thePlayer, command, playerName)
     local result = ExecuteSQLQuery("SELECT money FROM players WHERE name=?", playerName)
     local result = executeSQLQuery("SELECT money FROM players WHERE name=?", playerName)
     if(#result == 0) then
     if(#result == 0) then
         outputConsole("No player named " .. playerName " .. is registered.", thePlayer)
         outputConsole("No player named " .. playerName " .. is registered.", thePlayer)
Line 58: Line 58:
Notice the lack of single quotes around the "?" in this example, even though it represents a string. ExecuteSQLQuery will see that the playerName variable is a string and take care of the correct execution of the query by itself.
Notice the lack of single quotes around the "?" in this example, even though it represents a string. ExecuteSQLQuery will see that the playerName variable is a string and take care of the correct execution of the query by itself.


The advantage of using ExecuteSQLQuery is that it is immune to users trying to exploit the query with an SQL injection attack. playerName may contain special characters like ', " or -- that will not influence the query, unlike the older approach where playerName would be concatenated into the query string.
The advantage of using executeSQLQuery is that it is immune to users trying to exploit the query with an SQL injection attack. playerName may contain special characters like ', " or -- that will not influence the query, unlike the older approach where playerName would be concatenated into the query string.

Revision as of 21:00, 22 September 2007

This function executes an arbitrary SQL query and returns the result rows if there are any. It allows parameter binding for security (SQL injection is rendered impossible).

Syntax

table executeSQLQuery(string query [, var param1 [, var param2 ...]])

Required Arguments

  • query: An SQL query. Positions where parameter values will be inserted are marked with a "?".

Required Arguments

  • paramX: A variable number of parameters. These must be strings or numbers - it is important to make sure they are of the correct type. Also, the number of parameters passed must be equal to the number of "?" characters in the query string.

Returns

Returns a table with the result of the query if it was a SELECT query, or false if otherwise. In case of a SELECT query the result table may be empty when there are no result rows. The table is of the form:

{
    { colname1=value1, colname2=value2, ... },
    { colname1=value3, colname2=value4, ... },
    ...
}

Example

This example defines a console command that shows the ID's and names of all registered (stored in database) players that have more than the specified amount of money.

function listPlayersWithMoreMoneyThan(thePlayer, command, amount)
    local players = executeSQLQuery("SELECT id, name FROM players WHERE money > ?", tonumber(amount))
    outputConsole("Players with more money than " .. amount .. ":", thePlayer)
    for i, playerdata in ipairs(players) do
        outputConsole(playerdata.id .. ": " .. playerdata.name, thePlayer)
    end
end

addCommandHandler("richplayers", listPlayersWithMoreMoneyThan)


This example shows the amount of money a certain registered player has.

function showPlayerMoney(thePlayer, command, playerName)
    local result = executeSQLQuery("SELECT money FROM players WHERE name=?", playerName)
    if(#result == 0) then
        outputConsole("No player named " .. playerName " .. is registered.", thePlayer)
    else
        outputConsole("Money amount of player " .. playerName .. " is " .. result[1].money, thePlayer)
    end
end
addCommandHandler("playermoney", showPlayerMoney)

Notice the lack of single quotes around the "?" in this example, even though it represents a string. ExecuteSQLQuery will see that the playerName variable is a string and take care of the correct execution of the query by itself.

The advantage of using executeSQLQuery is that it is immune to users trying to exploit the query with an SQL injection attack. playerName may contain special characters like ', " or -- that will not influence the query, unlike the older approach where playerName would be concatenated into the query string.