PDA

View Full Version : mysql_format player name


Aa12
21/02/2016, 02:22 PM
mysql_format(mysql, query, sizeof(query),"UPDATE `accounts` SET `Veh`=1 WHERE `Name` = '%e'" ,PlayerNameGet(playerid));
mysql_tquery(mysql, query, "", "");
printf("%s", query);
printf("%s", PlayerNameGet(playerid));

what I get printed

UPDATE `accounts` SET `Veh`=1 WHERE `Name` = ''
myname

as you probably already understood, problem is that I can't format player name with mysql_format

Aa12
21/02/2016, 03:54 PM
my PlayerNameGet function btw

stock PlayerNameGet(playerid)
{
new pName[MAX_PLAYER_NAME];
GetPlayerName(playerid, pName, MAX_PLAYER_NAME);
return pName;
}

LocMax
21/02/2016, 06:56 PM
Where do you format that query?

Chump
21/02/2016, 07:17 PM
Why is the player's name being escaped? It's completely unnecessary.

Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

AmigaBlizzard
21/02/2016, 07:53 PM
Why is the player's name being escaped? It's completely unnecessary.

Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database.
Basic idea behind it: NEVER trust any player.
Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday.

Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.

If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this.

But you are right by suggesting to increase the size of the query variable.
Since it's not shown in the code, we can only guess the variable is too small.



Some good advice:
When you register a new player account, you should have a column that identifies every player with a unique ID.
That column can be called "UserID" and should have "Primary key" and auto-increment in the settings.

Only when connecting, you should find the player's name in the database and load his UserID.
During every action later on in the database, you should use the UserID as it's only an integer.
Mysql works alot faster when searching for integer values instead of entire strings like playernames.

It increases your overal mysql performance.
For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.

Chump
21/02/2016, 07:58 PM
Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.

Good point, but SA-MP doesn't allow spaces, semi-colons, or singular quotes in player names, making it impossible for SQL injection to happen from that alone. Only alphanumerical characters and certain symbols ([ ], ( ), =, @, _, etc.) are allowed. Everything else inputted by players should be escaped though.

Aa12
24/02/2016, 04:26 PM
Why is the player's name being escaped? It's completely unnecessary.

Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

When I use %s instead of '%e' it prints player name right but It doesn't save info.
query size is [200]. I think that's enough


That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database.
Basic idea behind it: NEVER trust any player.
Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday.

Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.

If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this.

But you are right by suggesting to increase the size of the query variable.
Since it's not shown in the code, we can only guess the variable is too small.



Some good advice:
When you register a new player account, you should have a column that identifies every player with a unique ID.
That column can be called "UserID" and should have "Primary key" and auto-increment in the settings.

Only when connecting, you should find the player's name in the database and load his UserID.
During every action later on in the database, you should use the UserID as it's only an integer.
Mysql works alot faster when searching for integer values instead of entire strings like playernames.

It increases your overal mysql performance.
For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.


public OnPlayerConnect(playerid)
{
new query[200];
mysql_format(mysql, query, sizeof(query), "SELECT * FROM `accounts` WHERE `Name` = '%e'", PlayerNameGet(playerid));
print(query);
return 1;
}

what I get printed when I connect

SELECT * FROM `accounts` WHERE `Name` = ''

I have connected with account that is already saved in database

Also the thing about escaping. I don't really know what it is but if using '%e' does "escape" thing I guess I'm good right? (Well at least until I learn how to make this code work)

Aa12
24/02/2016, 06:37 PM
Problem solved in a strange way : I just copied my whole gamemode code, created new pawn document, pasted my code there, compiled and ran that gamemode - everything worked fine.