Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange problem with execute. #3

Open
SzymoonDev opened this issue Dec 27, 2017 · 15 comments
Open

Strange problem with execute. #3

SzymoonDev opened this issue Dec 27, 2017 · 15 comments
Labels
bug help wanted

Comments

@SzymoonDev
Copy link

SzymoonDev commented Dec 27, 2017
edited
Loading

Hi, before I start, I want to say that I tried everything to fix it, but Skript fooled me and I have no idea what's going on...
execute "SELECT * FROM playerdata WHERE playername = 'SzymoonPL';" in {mysql} and store the result in {_output::*}
set {_final} to {_output::playername::1}
broadcast "%{_final}%"
This code works correctly, but... When i replace my nickname with variable or type event-player or player, this code stop working.
execute "SELECT * FROM playerdata WHERE playername = '%{_p}%';" in {mysql} and store the result in {_output::*}
set {_final} to {_output::playername::1}
broadcast "%{_final}%"
In the first situation, the variable displays my name, but in the second - still appears <none>.

Idk what happend, my brain exploded...
If you still dont understand, I'll try to explain more.
Hold on and Happy New Year :)
@Snow-Pyon
Copy link

Snow-Pyon commented Dec 27, 2017
edited
Loading

Remove the single quotes around the variable, skript-db will handle that for you.

@SzymoonDev
Copy link
Author

@Snow-Pyon still not working, this is not a problem.

@SzymoonDev
Copy link
Author

SzymoonDev commented Dec 27, 2017
edited
Loading

Last sql error: Parameter index out of range (3 > number of parameters, which is 2).
I dont understand this.

@btk5h
Copy link
Owner

btk5h commented Dec 27, 2017

What code are you using? Did you try

execute "SELECT * FROM playerdata WHERE playername = %{_p}%" in {mysql} and store the result in {_output::*}

@SzymoonDev
Copy link
Author

SzymoonDev commented Dec 28, 2017
edited
Loading

Yes, I tried all the possibilities. Your code also doesn't working. Still same error:
Parameter index out of range (3 > number of parameters, which is 2).

Maybe the error applies to this code:
execute "INSERT INTO playerdata(playername, registertime, lastlogintime, antybotstatus) VALUES (%{_p}%, null, null, false)" in {mysql}

Database structure: https://scr.hu/el1MJ0

I've used skellett before, but on version 1.12.X, skellett's mysql doesn't working.
This code previously worked.

@btk5h
Copy link
Owner

btk5h commented Dec 28, 2017

Wait, does this mean you're not sure which line of code is causing this error?

@SzymoonDev
Copy link
Author

SzymoonDev commented Dec 28, 2017
edited
Loading

I checked this. These two codes evoke this error.
First, i run server without this code:
execute "SELECT * FROM playerdata WHERE playername = '%{_p}%';" in {mysql} and store the result in {_output::*}
last sql error shows: Parameter index out of range (3 > number of parameters, which is 2).

Than i run server without this code:
execute "INSERT INTO playerdata(playername, registertime, lastlogintime, antybotstatus) VALUES (%{_p}%, null, null, false)" in {mysql}
last sql error shows: Parameter index out of range (3 > number of parameters, which is 2).

I dont know what I'm doing wrong.

@SzymoonDev
Copy link
Author

When the problem will be fixed?

@SzymoonDev
Copy link
Author

execute "INSERT INTO playerdata(playername, registertime, lastlogintime, antybotstatus) VALUES ('SzymoonPL', 'null', 'null', false);" in {mysql} - this code work, but when i replace 'SzymoonPL' with example '%{_p}%', the last sql error shows: Invalid argument value: java.io.NotSerializableException

@Helomi
Copy link

Helomi commented Feb 25, 2018

UP

@gp-Airee
Copy link

This is still a problem. In my case, running this yields the error:
execute "update purgatory set blocks=26 where uuid='%player's uuid%'" in {sql}

@github-usrname
Copy link

https://www.w3schools.com/sql/
Here you can Learn WHY and HOW SQL Works
OR
https://www.php.net/manual/en/function.mysql-query.php

This is From the Owners of MYSQL n PHP
i understand thats way bigger than your Plugin , but THIS IS REALLY an ISSUE
Everyone MUST USE >>> QUOTES in there Arguments that they are Trying to
INSERT / UPDATE into MYSQL
Without them This Will Result into NOTHING literally
for Example try Coding in Java without " STATIC VOID " OR " INCLUDE " && BRACKETS (you know [] {} () )

@btk5h
Copy link
Owner

btk5h commented Feb 5, 2020

@github-usrname This addon is a wrapper around Java's prepared statements. I understand that the semantics of how skript-db inlines parameters may be a bit confusing, but the goal is to ultimately prevent users from accidentally leaving themselves vulnerable to SQL injection attacks, which can happen when naively concatenating strings to form SQL queries.

You can already opt-out of this behavior by using unsafe, but a major design goal of this addon is to be secure by default.

@github-usrname
Copy link

github-usrname commented Feb 6, 2020
edited
Loading

check your @mail

@btk5h
Copy link
Owner

btk5h commented Feb 6, 2020

@github-usrname, harassing me by email won't get you anywhere. If you want to have a civilized discussion, we can have one here or in a new issue. I'm not going to bother reading an angry comment left by someone who clearly doesn't want to cooperate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@btk5h @Helomi @gp-Airee @Snow-Pyon @SzymoonDev @github-usrname