escape_sql?

[Aeromesi 180]

Is escape_sql necessary when using the script command query_sql?

I think it has something to do with SQL Injection within scripts. Is it needed everytime you query and update a DB with new info? like would I put +escape_sql at the end of the query?

 

 

 

ex:

 

 

query_sql "SELECT `credits` FROM `cp_votes` WHERE `account_id` = "+getcharid(3)+"",@credits;

Edited April 2, 2015 by Aeromesi

[evilpuncker 503]

Without escape_sql with an input in a db cant they gather the root user/pass?

 

they can do pretty much everything they want to, it is just a SQL injection

[Dastgir 1246]

For your example, no.

escape_sql is indeed necessary when you are trying to insert the string which is directly taken from the user... So that the user cannot do any other operations

[evilpuncker 503]

basically:

 

use it for: strings like user input messages, user names, well, strings at all

do not use it for: numbers

 

and by the way in that case it doesn't go into the end of the query, but like this:

 

 

query_sql "SELECT `credits` FROM `cp_votes` WHERE `account_id` = '"+escape_sql(+getcharid(3))+"'"",@credits; 

[Aeromesi 180]

Without escape_sql with an input in a db cant they gather the root user/pass?

[Aeromesi 180]

 

Without escape_sql with an input in a db cant they gather the root user/pass?

 

they can do pretty much everything they want to, it is just a SQL injection

Thank you guys for clarifying this! Much appreciated.