@Xmair You Are Besstteeee ONe Help Me im Happyyyyyy And im Learned Now.
Imagine you have a command /gotoloc which executes the following query:Please @Xmair Give me Example Bro :(I never Never Never Never Never Never Understand AnithinggggggggggggggggggggggggggggI find it admirable that you thought of escaping the strings before doing the select query but you should've also escaped the name in the update query. Otherwise, BAD things can happen...
"SELECT XYZ FROM Locations WHERE Name = '" + locationName + "'"
where locationName is a string input by the user in the gotoloc command. Imagine there's a bad guy who uses /gotoloc '; DROP TABLE Accounts; instead of a location, this'll get executed:
"SELECT XYZ FROM Locations WHERE Name = ''; DROP TABLE Accounts;"
This'll ultimately execute both of the queries as there is a semicolon right after the SELECT query. To avoid this, you use mysql_escape in mySQL and escapeSQLString in SQLite.
You must be using SQLite so I'm going to put on an example in which can be used by the default SQLite plugin for VCMP.
QuerySQL( database, "SELECT XYZ FROM Locations WHERE Name = '" + locationName + "'" );
QuerySQL( database, "SELECT XYZ FROM Locations WHERE Name = '" + escapeSQLString( locationName ) + "'" );
Simple, isn't it? I've tried my best to explain it as easy as I could, if you still don't get it, meh.
Thanks for helping my friend :D