Store player informations with MySQL.

**ebusiangamers** · 5th July 2015, 16:04

Originally Posted by IzNoGoD

1. If i'd name myself "Iz'; SELECT password FROM mysql.user; --" i could potentially get the (encrypted) password. This is called a mysql injection and you might have heard about a lot of sites falling prey to one of those
2. You ofcourse need to specify the key that can be duplicate, for example in this current database structure, the guid() is the primary index, so that can be duplicate (also UNIQUE indexes can be duplicates), so, do something liek this: "INSERT INTO table (guid, fieldname) VALUES (" + getguid() + ", value_for_fieldname) ON DUPLICATE KEY UPDATE fieldname=value_for_fieldname
3. You could manually add it. Async mysql is just a function in libcod which is opensource, just as codextended is open source (right?)
5. see 2. in this answer, but you should have specified it using VALUES (guid, fieldvalue)

1. Understood.
2. I modified the script as below. Please post the corrected script if it is still incorrect (I need a reference to learn).
3. I dont have enough knowledge to do such thing: learning need time which I dont have now.
5. Understood.

Here are the modified functions with the updated table:

PHP Code:


set_db_field(fieldname, value) 
{
    /*if(isDefined(self.isbot))
        return;*/
    
    query = "SELECT * FROM `"+level.table+"` WHERE `user_guid`= '"+self.guid+"' LIMIT 1";
    mysql_query(level.mysql_connection, query);
    r = mysql_store_result(level.mysql_connection);
    num = mysql_num_fields(r);
    if(num != 0) {
        row = mysql_fetch_row(r);
        if(isdefined(row)) {
            mysql_query(level.mysql_connection, "UPDATE `"+ level.table +"` SET `"+fieldname+"`='"+value+"' WHERE `user_guid`= '"+self.guid+"' LIMIT 1");
        }
        else{
            mysql_query(level.mysql_connection, "INSERT INTO `"+level.table+"`(`user_guid`, `"+fieldname+"`) VALUES ('"+self.guid+"', '"+value+"') ON DUPLICATE KEY UPDATE `"+fieldname+"`='"+value+"'");
        }
    }
    else{
            mysql_query(level.mysql_connection, "INSERT INTO `"+level.table+"`(`user_guid`, `"+fieldname+"`) VALUES ('"+self.guid+"', '"+value+"')");
    }
    mysql_free_result(r);
}

PHP Code:


get_db_field(fieldname) {
    
    if(isDefined(self.isbot))
        return 0;
    
    if(fieldname == "user_guid"){
        secondary = "user_name"; secondary_value = self.name;
    }
    else{
        secondary = "user_guid"; secondary_value = self.guid;
    }
    
    ret = "";
    query = "SELECT * FROM `"+level.table+"` WHERE `user_guid`= '"+self.guid+"' LIMIT 1";
    mysql_query(level.mysql_connection, query);
    r = mysql_store_result(level.mysql_connection);
    ret = r;
    num = mysql_num_fields(r);
    if(num != 0) {
        row = mysql_fetch_row(r);
        if(isdefined(row)) {
            mysql_query(level.mysql_connection, "SELECT `"+fieldname+"` FROM `"+level.table+"` WHERE `user_guid`= '"+self.guid+"' LIMIT 1");
            r2=mysql_store_result(level.mysql_connection);
            ret = r2;
            if(mysql_num_fields(r2) > 0) {
                row2=mysql_fetch_row(r2); 
                if(isdefined(row2)) {
                    if(isdefined(row2[0])) {
                        //printconsole("row2="+row2[0]+"\n");
                        ret = row2[0];
                    }
                }
            }
            mysql_free_result(r2); 
        }
    }
    mysql_free_result(r);
    return ret;
}

New table: https://mega.co.nz/#!M5R30Y5Q!ETkfTG...rFMxLHjuq6XbwM

The funny thing is that the uploaded informations are wrong with human players while it is true with bot players. I doubt this is due to mysql (as showed before), not the variables.
Another

Thread: Store player informations with MySQL.

Thread Tools

Search Thread

Display

Threaded View

Posting Permissions