Jump to content

Question About Mysql DB Functions


Rouzbeh

Recommended Posts

hi, if i understand right, both dbQuery and executeSQLQuery can use for SELECT data from table and in executeSQLQuery sql injection is impossible but what about dbQuery? is it important i use executeSQLQuery for SELECT or i can do that with dbQuery safe too?

and which is better for SELECT ?

Link to comment
both are working good but the db functions are new , i advise you to use dbQuery , and this tutorial might help you viewtopic.php?f=148&t=38203

very thanks for link, but my question is: is it sql injection possible in using dbQuery?

for example:

local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) 
local result = dbPoll( qh, -1 ) 

if playerName contain a special/harmful word, is sql injection possible here?

Link to comment
both are working good but the db functions are new , i advise you to use dbQuery , and this tutorial might help you viewtopic.php?f=148&t=38203

very thanks for link, but my question is: is it sql injection possible in using dbQuery?

for example:

local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) 
local result = dbPoll( qh, -1 ) 

if playerName contain a special/harmful word, is sql injection possible here?

Using code such as:

local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) 

will prevent SQL injection, but if you wrote it such as:

local qh = dbQuery( connection, "SELECT * FROM users WHERE name='"..playerName.."'" ) 

then it could cause SQL injection.

Basically, using the '?' with dbQuery prevents SQL injection.

Link to comment

They're not the same at all. executeSQLQuery acts on registry.db only, it can't manipulate other SQL databases, so it's only SQLite obviously.

dbQuery on the other hand can open other databases and supports both MySQL and SQLite. Just don't use executeSQLQuery.

Link to comment
They're not the same at all. executeSQLQuery acts on registry.db only, it can't manipulate other SQL databases, so it's only SQLite obviously.

dbQuery on the other hand can open other databases and supports both MySQL and SQLite. Just don't use executeSQLQuery.

I didn't know that. Interesting. May I ask what the purpose of registry.db is? I opened it and it was empty.

Also, it should specify that it only works with registry.db on the wiki.

I added it to the wiki.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...