PDA

View Full Version : Mysql escape string


DRIFT_HUNTER
31/12/2011, 04:46 PM
Im not sure how to use escape string's cos i dont know the way they working
So if someone can give me an CORRECT example and EXPLAIN sql escape string's i will be grateful

Here is how i use them but i dont think its correct:

new Query[128],QueryEsc[128];
format(Query, sizeof(query),"SELECT * FROM `samp_users` WHERE `UserName`='%s' AND `Password`='%s'", UserNameString, PasswordString);
mysql_query(Query);
mysql_real_escape_string(Query, QueryEsc);
mysql_store_result();
if(mysql_num_rows())
{
mysql_fetch_row_format(Query);
printf("%s", Query);
}


Please do not try to help if you just THINK you know these.Thx

Hiddos
31/12/2011, 05:22 PM
Basically escaping a string is used to prevent SQL injection by adding a backslash to SQL statements found in a string, so they will not interrupt the query. Your problem is that you use escape the query, disabling ALL statements. You only need to escape the input.

DRIFT_HUNTER
31/12/2011, 05:46 PM
So in these case i only need to escape UserNameString and PasswordString?

mysql_real_escape_string(UserNameString , UserNameStringEscape);
mysql_real_escape_string(PasswordString, PasswordStringEscape);
mysql_query(................


These is right?

Hiddos
31/12/2011, 05:51 PM
Yerp (Don't forget still formatting the query ;)). AFAIK, you can escape a string to the same string, like:
mysql_real_escape_string(UserNameString , UserNameString);
mysql_real_escape_string(PasswordString, PasswordString);

DRIFT_HUNTER
31/12/2011, 06:03 PM
Yerp (Don't forget still formatting the query ;)). AFAIK, you can escape a string to the same string, like:
mysql_real_escape_string(UserNameString , UserNameString);
mysql_real_escape_string(PasswordString, PasswordString);

Thank you very much for helping me understand these