Modules/MTA-MySQL/mysql escape string: Difference between revisions

From Multi Theft Auto: Wiki
Jump to navigation Jump to search
(New page: __NOTOC__ Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players. ==Syntax== <syntaxhighlight lang="lua"> st...)
 
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
<pageclass class="#AA7592" subcaption="MTA-MySQL Module"></pageclass>
__NOTOC__
__NOTOC__
{{ModuleFunction|MTA-MySQL}}
Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players.
Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players.


Line 23: Line 25:
   else
   else
     if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name
     if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name
     else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$") end -- Send the money information
     else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$", playerSource) end -- Send the money information
     mysql_free_result(result) -- Free the query result
     mysql_free_result(result) -- Free the query result
   end
   end

Latest revision as of 17:41, 5 January 2011


Package-x-generic.png This function is provided by the external module MTA-MySQL. You must install this module to use this function.

Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players.

Syntax

string mysql_escape_string( MySQLConnection handler, string theString )

Required arguments

  • handler: A valid MySQL link
  • theString: The string to escape

Returns

The escaped string

Example

Example 1: This example returns some offline player cash getting it from the database

function checkOfflineMoney(playerSource, commandName, targetName)
  local escapedName = mysql_escape_string(handler, targetName) -- Escape the string to avoid security holes
  local result = mysql_query(handler, "SELECT money FROM account WHERE name='" .. escapedName .. "'")
  if (not result) then
    outputDebugString("mysql_query failed: (" .. mysql_errno(handler) .. ") " .. mysql_error(handler)) -- Some error occurred
  else
    if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name
    else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$", playerSource) end -- Send the money information
    mysql_free_result(result) -- Free the query result
  end
end
addCommandHandler("offlinecash", checkOfflineMoney)

See also