Rouzbeh Posted February 22, 2015 Share Posted February 22, 2015 hi, if i understand right, both dbQuery and executeSQLQuery can use for SELECT data from table and in executeSQLQuery sql injection is impossible but what about dbQuery? is it important i use executeSQLQuery for SELECT or i can do that with dbQuery safe too? and which is better for SELECT ? Link to comment
LaCosTa Posted February 22, 2015 Share Posted February 22, 2015 both are working good but the db functions are new , i advise you to use dbQuery , and this tutorial might help you viewtopic.php?f=148&t=38203 Link to comment
Rouzbeh Posted February 22, 2015 Author Share Posted February 22, 2015 both are working good but the db functions are new , i advise you to use dbQuery , and this tutorial might help you viewtopic.php?f=148&t=38203 very thanks for link, but my question is: is it sql injection possible in using dbQuery? for example: local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) local result = dbPoll( qh, -1 ) if playerName contain a special/harmful word, is sql injection possible here? Link to comment
xXMADEXx Posted February 22, 2015 Share Posted February 22, 2015 both are working good but the db functions are new , i advise you to use dbQuery , and this tutorial might help you viewtopic.php?f=148&t=38203 very thanks for link, but my question is: is it sql injection possible in using dbQuery? for example: local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) local result = dbPoll( qh, -1 ) if playerName contain a special/harmful word, is sql injection possible here? Using code such as: local qh = dbQuery( connection, "SELECT * FROM users WHERE name=?", playerName ) will prevent SQL injection, but if you wrote it such as: local qh = dbQuery( connection, "SELECT * FROM users WHERE name='"..playerName.."'" ) then it could cause SQL injection. Basically, using the '?' with dbQuery prevents SQL injection. Link to comment
Rouzbeh Posted February 22, 2015 Author Share Posted February 22, 2015 good, and another question whats is difference between using dbQuery and executeSQLQuery? Link to comment
Noki Posted February 22, 2015 Share Posted February 22, 2015 executeSQLQuery returns a table (that is, if you used SELECT as an argument). If you didn't use SELECT as an argument, it will return false. dbQuery returns a query handler. You must then use it in conjunction with dbPoll or dbFree. Link to comment
JR10 Posted February 22, 2015 Share Posted February 22, 2015 They're not the same at all. executeSQLQuery acts on registry.db only, it can't manipulate other SQL databases, so it's only SQLite obviously. dbQuery on the other hand can open other databases and supports both MySQL and SQLite. Just don't use executeSQLQuery. Link to comment
Noki Posted February 22, 2015 Share Posted February 22, 2015 They're not the same at all. executeSQLQuery acts on registry.db only, it can't manipulate other SQL databases, so it's only SQLite obviously.dbQuery on the other hand can open other databases and supports both MySQL and SQLite. Just don't use executeSQLQuery. I didn't know that. Interesting. May I ask what the purpose of registry.db is? I opened it and it was empty. Also, it should specify that it only works with registry.db on the wiki. I added it to the wiki. Link to comment
JR10 Posted February 22, 2015 Share Posted February 22, 2015 Before we could create and query custom databases, there were only one SQLite database for a server, the registy.db database. And to query MySQL databases you had to use modules. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now