Modules/MTA-MySQL/mysql escape string: Difference between revisions
Jump to navigation
Jump to search
(New page: __NOTOC__ Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players. ==Syntax== <syntaxhighlight lang="lua"> st...) |
mNo edit summary |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
<pageclass class="#AA7592" subcaption="MTA-MySQL Module"></pageclass> | |||
__NOTOC__ | __NOTOC__ | ||
{{ModuleFunction|MTA-MySQL}} | |||
Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players. | Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players. | ||
Line 23: | Line 25: | ||
else | else | ||
if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name | if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name | ||
else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$") end -- Send the money information | else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$", playerSource) end -- Send the money information | ||
mysql_free_result(result) -- Free the query result | mysql_free_result(result) -- Free the query result | ||
end | end |
Latest revision as of 17:41, 5 January 2011
This function is provided by the external module MTA-MySQL. You must install this module to use this function. | |
Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players.
Syntax
string mysql_escape_string( MySQLConnection handler, string theString )
Required arguments
- handler: A valid MySQL link
- theString: The string to escape
Returns
The escaped string
Example
Example 1: This example returns some offline player cash getting it from the database
function checkOfflineMoney(playerSource, commandName, targetName) local escapedName = mysql_escape_string(handler, targetName) -- Escape the string to avoid security holes local result = mysql_query(handler, "SELECT money FROM account WHERE name='" .. escapedName .. "'") if (not result) then outputDebugString("mysql_query failed: (" .. mysql_errno(handler) .. ") " .. mysql_error(handler)) -- Some error occurred else if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$", playerSource) end -- Send the money information mysql_free_result(result) -- Free the query result end end addCommandHandler("offlinecash", checkOfflineMoney)
See also
- mysql_connect
- mysql_close
- mysql_errno
- mysql_error
- mysql_ping
- mysql_select_db
- mysql_escape_string
- mysql_affected_rows
- mysql_change_user
- mysql_get_character_set_info
- mysql_get_client_info
- mysql_get_client_version
- mysql_get_host_info
- mysql_get_proto_info
- mysql_get_server_info
- mysql_get_server_version
- mysql_hex_string
- mysql_info
- mysql_insert_id
- mysql_query
- mysql_unbuffered_query
- mysql_set_character_set
- mysql_stat
- mysql_warning_count