escape_sql?

Aeromesi

Custom Instance Maniac
Messages
821
Points
0
Age
33
Location
Custom Instances
Discord
Aeromesi#0293
Github
http://www.github.com/aeromesi
Emulator
Is escape_sql necessary when using the script command query_sql?

I think it has something to do with SQL Injection within scripts. Is it needed everytime you query and update a DB with new info? like would I put +escape_sql at the end of the query?

ex:

Code:
query_sql "SELECT `credits` FROM `cp_votes` WHERE `account_id` = "+getcharid(3)+"",@credits;
 
Last edited by a moderator:
For your example, no.

escape_sql is indeed necessary when you are trying to insert the string which is directly taken from the user... So that the user cannot do any other operations

 
basically:

use it for: strings like user input messages, user names, well, strings at all

do not use it for: numbers

and by the way in that case it doesn't go into the end of the query, but like this:

Code:
query_sql "SELECT `credits` FROM `cp_votes` WHERE `account_id` = '"+escape_sql(+getcharid(3))+"'"",@credits; 
 
Back
Top