Leaderboard

As usual, I only write advance guides This guide is a compilation of SQL commands that I have used, or Questions answered on the forum every single subject here are related to Hercules/Ragnarok Online in some ways, so you won't feel bored reading them XD Table of Content 1. When to use *escape_sql script command 2. How to build a case-sensitive table 3. Choose a table type, MyISAM or InnoDB ? 3a. How to index a table properly 3b. Why you shouldn't use `char_reg_num_db` table 4. AUTO_INCREMENT 5. How to do IF-ELSE in SQL query ? 5a. How to update multiple rows on different conditions in a single query 6. How to show the current rank of the player 7. INSERT INTO ... SELECT ... 8. Table JOIN vs AS 9. What is the maximum string limit for *query_sql 9a. UNION This topic is now open to Suggestions, Ideas, Improvements, and Questions ~ I'm sure many of you have some questions since the creation of this topic You may also post up your tricks if you want to share with us

3. Choose a table type, MyISAM or InnoDB ? https://stackoverflow.com/questions/20148/myisam-versus-innodb Before MySQL 5.5, MyISAM is mostly use for read-heavy + table locking storage engine = such as pvp ladder ( always select ... order by kill desc ) InnoDB is mostly use for write-heavy + row locking storage engine = such as quest script ( select ... from char_id ... only 1 row is retrieve ) After MySQL 5.6, (currently is 8.0) just stick to InnoDB there is only 1 reason MyISAM is better than InnoDB - MyISAM use smaller disk usage than InnoDB let's take a look at our MyISAM to InnoDB converter https://github.com/HerculesWS/Hercules/blob/stable/sql-files/tools/convert_engine_innodb.sql This converter is useful if you are using MySQL 5.6 or above There are 4 tables that are commented out the reason is simple, these 4 tables only read once and forgotten when server is live since MyISAM is good at reading (SELECT) + smaller disk usage, its no use to convert these 4 tables into InnoDB 3a How to index a table properly http://mysql.rjweb.org/doc.php/index_cookbook_mysql http://www.dbta.com/Columns/DBA-Corner/Top-10-Steps-to-Building-Useful-Database-Indexes-100498.aspx a simple thumb of rule, anything that is SELECT .... WHERE `field` = ..... that `field` has to be index let's take a look at this PVP Ladder script that use Kill/Death ratio CREATE TABLE `pvpladder` ( `char_id` INT(11), `name` VARCHAR(23), `kills` INT(11), `death` INT(11), PRIMARY KEY (`char_id`), KEY (`kills`, `death`) ) ENGINE = InnoDB; prontera,155,186,6 script PVP Ladder 1_F_MARIA,{ .@nb = query_sql( "SELECT `name`, `kills`/(`death`+1) FROM `pvpladder` WHERE `kills` > 0 ORDER BY `kills`/(`death`+1) DESC LIMIT 10", .@name$, .@ratio$ ); if ( !.@nb ) { mes "no entry"; close; } mes "Current Ranking :"; for ( .@i = 0; .@i < .@nb; ++.@i ) mes "No."+(.@i +1)+" ["+ .@name$[.@i] +"] "+ .@ratio$[.@i] +" kill"; close; OnPCKillEvent: if ( killedrid == getcharid(3) ) { // killing self should only increase death count. EG: Grand-cross query_sql "INSERT INTO `pvpladder` VALUES ( "+ getcharid(0) +", '"+ escape_sql( strcharinfo(0) )+"', 0,1 ) ON DUPLICATE KEY UPDATE `death` = `death` +1"; end; } query_sql "INSERT INTO `pvpladder` VALUES ( "+ getcharid(0) +", '"+ escape_sql( strcharinfo(0) )+"', 1,0 ) ON DUPLICATE KEY UPDATE `kills` = `kills` +1"; attachrid killedrid; query_sql "INSERT INTO `pvpladder` VALUES ( "+ getcharid(0) +", '"+ escape_sql( strcharinfo(0) )+"', 0,1 ) ON DUPLICATE KEY UPDATE `death` = `death` +1"; end; } This kind of query -> ORDER BY kills/death, needs to index them together like this KEY (`kills`, `death`) 3b. Why you shouldn't use `char_reg_num_db` table blame Euphy for spreading this technique There are 2 reasons why you shouldn't even touch all these variable tables Reason no.1 This table is sorely meant for server usage Once these data is loaded, it is process internally, and only save character data according to this configuration Reason no.2 The `value` field is not index ! This line has ORDER BY `value`, try recheck our main.sql file CREATE TABLE IF NOT EXISTS `acc_reg_num_db` ( `account_id` INT(11) UNSIGNED NOT NULL DEFAULT '0', `key` VARCHAR(32) BINARY NOT NULL DEFAULT '', `index` INT(11) UNSIGNED NOT NULL DEFAULT '0', `value` INT(11) NOT NULL DEFAULT '0', PRIMARY KEY (`account_id`,`key`,`index`), KEY `account_id` (`account_id`) ) ENGINE=MyISAM; SQL will search through every single line in the `value` field if that column isn't index Of course you can ... do ALTER table to add KEY to the `value` field but this table has already optimized in that way for server usage the more field you index into the table, the more disk usage space it use Conclusion : If you want to make a custom script, then make a custom table. Leave these table alone !

2. How to build a case-sensitive table this is the answer I found http://dba.stackexchange.com/questions/15250/how-to-do-a-case-sensitive-search-in-where-clause by default, the table creation use charset = latin1; means it couldn't do a case-sensitive search if you want to do a case-sensitive in a query, use BINARY SELECT * FROM `char` WHERE `name` = BINARY('AnnieRuru'); however using BINARY might have performance hit if it is a big table so its more recommend to convert your SQL table to collate with latin1_general_cs let's say this is a sample table CREATE TABLE `test` ( `id` INT(11) PRIMARY KEY AUTO_INCREMENT, `name` VARCHAR(23) )ENGINE = InnoDB; do an ALTER table syntax ALTER TABLE `test` MODIFY COLUMN `name` VARCHAR(23) COLLATE latin1_general_cs; or just put it into the table creation CREATE TABLE `test` ( `id` INT(11) PRIMARY KEY AUTO_INCREMENT, `name` VARCHAR(23) )ENGINE = InnoDB DEFAULT CHARSET = latin1 COLLATE latin1_general_cs;

1. When to use escape_sql script command . input .@haha$; dispbottom .@haha$; dispbottom escape_sql(.@haha$); it doesn't has much differences, because it only affect 3 special characters ' <- single quotation mark " <- double quotation mark \ <- left slash if I input -> haha"lala'hehe <- it will return -> haha\"lala\'hehe <- this is what we call, Escape a character in hercules script, we also know we can use " symbol in any string input mes "Susan says :\" Today I ate 3 eggs \"."; where in the game client, you can see the " symbol in the npc msg box let's say I have a sql script like this prontera,153,171,5 script Show Characters 1_F_MARIA,{ mes "input name, I'll show you all characters name it has on that player's account"; input .@name$; .@nb = query_sql("SELECT `char_id`, `name` FROM `char` WHERE `name` LIKE '"+ .@name$ +"'", .@cid, .@name$); if ( !.@nb ) { mes "no result"; close; } for ( .@i = 0; .@i < .@nb; ++.@i ) mes .@cid[.@i] +" "+ .@name$[.@i]; close; } this script has a possibility to be hacked because to perform sql injection, I can enclose the string with quotation mark, then use another sql command to hack BUT with an escape_sql command, if the user want to enclose the string with quotation mark to hack the script the escape_sql command escaped the string, the quotation mark the user input will be escaped thus the script will become impossible to hack just now that script was for string input prontera,153,171,5 script Show Characters 1_F_MARIA,{ mes "input account ID, I'll show you all characters name it has on that player's account"; input .@aid$; .@nb = query_sql("SELECT `char_id`, `name` FROM `char` WHERE `account_id` = "+ escape_sql(.@aid$), .@cid, .@name$); if ( !.@nb ) { mes "no result"; close; } for ( .@i = 0; .@i < .@nb; ++.@i ) mes .@cid[.@i] +" "+ .@name$[.@i]; close; } this is another stupid case. 1. the scripter use string input while the script just needed a number 2. even with escape_sql command over there, there is no quotation mark at all yes this script also has a risk to be hack because escape_sql only escape quotation mark. that hacker don't even have to input quotation mark because it is a number and an injection query can be sent without any quotation mark input there are 2 ways to solve this either use numeric variable for the input command or enclose that .... ..... WHERE `account_id` = '"+ escape_sql(.@aid$) +"'", .... with single quotation mark, when the hacker input a quotation mark will be escaped by escape_sql command Reference : https://www.w3schools.com/sql/sql_injection.asp escape_sql command for another thing is if the player register their names containing ' or ", these characters are escaped only happens when the server have no restriction on the creation of players name hercules\conf\char\char-server.conf // Manage possible letters/symbol in the name of charater. Control character (0x00-0x1f) are never accepted. Possible values are: // NOTE: Applies to character, party and guild names. // 0: no restriction (default) // 1: only letters/symbols in 'name_letters' option. // 2: Letters/symbols in 'name_letters' option are forbidden. All others are possibles. name_option: 1 and this was what happened to my SQL dota pvpladder script Silo's Babies <-- this is a guild name you can see the 5th string has a single quotation mark with escape_sql command, that string will turn into Silo\'s Babies <-- the quotation mark is escaped when send to sql query