Database

Started by Cena, Jun 17, 2016, 10:12 AM

Previous topic - Next topic

Cena

My db is'nt saving i tryed many things QuerySQL( sqliteDB, "UPDATE Accounts SET Cash='" + Cash + "', Bank='" + Bank + "', Kills='" + Kills + "', Deaths='" + Deaths + "', Level='" + Level + "', LastUsedIP='" + LastUsedIP + "' WHERE Name='" + player.Name + "' AND NameLower='" + player.Name.tolower() + "'" );

also tryed this in a function and in onPlayerPart but still not working :( . I tryed to execute this in db it is working there but in script it not working.... plz help
Want To Meet Me Come #Cena At Lunet

.

#1
Christ man. Who dafuq uses that many concatenations. Why cant you use functions like format() to make the query. Easier to spot the syntax errors.

Besides, the official plugin does not report query errors. Which means you must manually execute the query in a program that can locate the error or use an alternate SQLite plugin.

Either way. No one has the patience and time to look through all that crap to find your missing quote or comma. You dig this hole your self. Now you get out of it.

Integers in quotes? Who does that. (thankfully sqlite does implicit conversions).

QuerySQL(sqliteDB,
    format(@"UPDATE [Accounts] SET
        [Cash]=%i,
        [Bank]=%i,
        [Kills]=%i,
        [Deaths]=%i,
        [Level]=%i,
        [LastUsedIP]='%s'
        WHERE [Name]='%s' AND [NameLower]='%s';",
        Cash,
        Bank,
        Kills,
        Deaths,
        Level,
        LastUsedIP,
        player.Name,
        player.Name.tolower()
    )
);
.

ysc3839

Quote from: . on Jun 17, 2016, 10:16 AMChrist man. Who dafuq uses that many concatenations. Why cant you use functions like format() to make the query. Easier to spot the syntax errors.

Besides, the official plugin does not report query errors. Which means you must manually execute the query in a program that can locate the error or use an alternate SQLite plugin.

Either way. No one has the patience and time to look through all that crap to find your missing quote or comma. You dig this hole your self. Now you get out of it.

Integers in quotes? Who does that. (thankfully sqlite does implicit conversions).

QuerySQL(sqliteDB,
    format(@"UPDATE [Accounts] SET
        [Cash]=%i,
        [Bank]=%i,
        [Kills]=%i,
        [Deaths]=%i,
        [Level]=%i,
        [LastUsedIP]='%s'
        WHERE [Name]='%s' AND [NameLower]='%s';",
        Cash,
        Bank,
        Kills,
        Deaths,
        Level,
        LastUsedIP,
        player.Name,
        player.Name.tolower()
    )
);
I suggest use SQL bind, which can prevent SQL injection.

.

Quote from: ysc3839 on Jun 17, 2016, 10:26 AMI suggest use SQL bind, which can prevent SQL injection.

That's what I use but unfortunately neither SQLite plugins have that functionality :D
.

vito

Good point about injections in vc-mp... currently only way I know is remove any quotes symbols and backslashes.

KAKAN

Quote from: vito on Jun 17, 2016, 01:16 PMGood point about injections in vc-mp... currently only way I know is remove any quotes symbols and backslashes.
escapeSQLString. Though, I believe you don't need this for an average VCMP player. They will just play, they don't have a intention to hax :D
oh no

ysc3839

Quote from: KAKAN on Jun 17, 2016, 01:41 PM
Quote from: vito on Jun 17, 2016, 01:16 PMGood point about injections in vc-mp... currently only way I know is remove any quotes symbols and backslashes.
escapeSQLString. Though, I believe you don't need this for an average VCMP player. They will just play, they don't have a intention to hax :D
escapeSQLString is OK. But SQL bind is more convenient.

KAKAN

Quote from: ysc3839 on Jun 17, 2016, 02:14 PM
Quote from: KAKAN on Jun 17, 2016, 01:41 PM
Quote from: vito on Jun 17, 2016, 01:16 PMGood point about injections in vc-mp... currently only way I know is remove any quotes symbols and backslashes.
escapeSQLString. Though, I believe you don't need this for an average VCMP player. They will just play, they don't have a intention to hax :D
escapeSQLString is OK. But SQL bind is more convenient.
I don't even think that SQL Bind is needed for VCMP( unless SLC plays )
oh no

ysc3839

Quote from: KAKAN on Jun 17, 2016, 04:15 PM
Quote from: ysc3839 on Jun 17, 2016, 02:14 PM
Quote from: KAKAN on Jun 17, 2016, 01:41 PM
Quote from: vito on Jun 17, 2016, 01:16 PMGood point about injections in vc-mp... currently only way I know is remove any quotes symbols and backslashes.
escapeSQLString. Though, I believe you don't need this for an average VCMP player. They will just play, they don't have a intention to hax :D
escapeSQLString is OK. But SQL bind is more convenient.
I don't even think that SQL Bind is needed for VCMP( unless SLC plays )
I disagree. :(

EK.IceFlake

Well...
I was playing on my server and it was a fresh install so I had to make me admin... I didn't want SQLite browser so I tried injecting the code... didn't work :(
I typed: /saveloc '; update players set level=24 where lower(name)='ext-d.crysta;blue';--
no luck :(
I didn't have any SQLite injection protection

ysc3839

Quote from: ext-d.CrystalBlue on Jun 18, 2016, 06:56 AMWell...
I was playing on my server and it was a fresh install so I had to make me admin... I didn't want SQLite browser so I tried injecting the code... didn't work :(
I typed: /saveloc '; update players set level=24 where lower(name)='ext-d.crysta;blue';--
no luck :(
I didn't have any SQLite injection protection
Show your /saveloc code.

Thijn

And show your database structure.