Modules/MTA-MySQL/mysql escape string

From Multi Theft Auto: Wiki
Revision as of 16:36, 13 January 2008 by Ryden (talk | contribs) (New page: __NOTOC__ Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players. ==Syntax== <syntaxhighlight lang="lua"> st...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Escapes a query string to avoid sql injection attacks. This function should be used for every executed query that uses any data given by the players.

Syntax

string mysql_escape_string( MySQLConnection handler, string theString )

Required arguments

  • handler: A valid MySQL link
  • theString: The string to escape

Returns

The escaped string

Example

Example 1: This example returns some offline player cash getting it from the database

function checkOfflineMoney(playerSource, commandName, targetName)
  local escapedName = mysql_escape_string(handler, targetName) -- Escape the string to avoid security holes
  local result = mysql_query(handler, "SELECT money FROM account WHERE name='" .. escapedName .. "'")
  if (not result) then
    outputDebugString("mysql_query failed: (" .. mysql_errno(handler) .. ") " .. mysql_error(handler)) -- Some error occurred
  else
    if (mysql_num_rows(result) == 0) then outputChatBox("Account not found", playerSource) -- We haven't results with that name
    else outputChatBox("The player has " .. mysql_result(result, 1, 1) .. "$") end -- Send the money information
    mysql_free_result(result) -- Free the query result
  end
end
addCommandHandler("offlinecash", checkOfflineMoney)

See also