Adding to a row with MySQLOO?

Hey guys, Im trying to extract data from my database to then add to it so i can add a value from the client onto an existing value in the database.

Heres my code:


net.Receive("updatePoints",function(len, ply)
	local points = net.ReadInt(32)
	local name = net.ReadString()
	local plysteamid = net.ReadString()
	local dbPoints
	getCurrPoints = ULXDatabaseObject:query("SELECT `points` FROM `users` WHERE `steamid`='"..plysteamid.."'")
	

	function getCurrPoints:onSuccess(data2)
		pointQuery = ULXDatabaseObject:query("UPDATE `users` SET `points`='" ..data2[1] + points.. "' WHERE `steamid`='"..plysteamid.."'")
		pointQuery:start()
		pointQuery:wait()
	end

	function getCurrPoints:onError( err, sql)
						print("query errored")
						print("Query:", sql)
						print("Error:", err)
					end

	

	getCurrPoints:start()
	getCurrPoints:wait()

However i get an error about trying to perform arithmetic on a table. Ive tried setting another variable like so:


local test = data2[1]

in the query on success function however i still get the same error, so ive been moving code around in a attempt to get it working.

Please can someone help!

Thanks in advance!

Don’t you need you index the table as data2[1].points, considering you’re specifically selecting points from the database?

It basically looks like this:



data2 = {
    [1] = {
        points = <value>
     }
}

Mista Tea is right.

But, the method you are posting is very exploitable.

Someone could spoof the net message and inject SQL, or send in an absurd amount of points with the net message.

For one, on any string you are inserting into your mysql database(at least ones received by the client) you want to escape it, and make sure it’s safe to use in a query. You can do this with mysqloo like so:



local safeString = databaseobject:escape(stringhere);


So:



net.Receive("updatePoints",function(len, ply)
	local points = net.ReadInt(32)//You should NEVER trust anything sent from the client. Instead you should store the point value on the server only
	local name = net.ReadString()
	local plysteamid = ULXDatabaseObject:escape(net.ReadString()) --Why even receive the steamid though? If it's coming from the person you want to update you have ply that's put in the receive function, so just do ply:SteamID()
	local dbPoints
	getCurrPoints = ULXDatabaseObject:query("SELECT `points` FROM `users` WHERE `steamid`='"..plysteamid.."'")
	

	function getCurrPoints:onSuccess(data2)
		if (!data2 || !data2[1]) then return; end --No data
		pointQuery = ULXDatabaseObject:query("UPDATE `users` SET `points`='" ..data2[1].points + points.. "' WHERE `steamid`='"..plysteamid.."'")
		pointQuery:start()
		pointQuery:wait()
	end

	function getCurrPoints:onError( err, sql)
						print("query errored")
						print("Query:", sql)
						print("Error:", err)
					end

	

	getCurrPoints:start()
	getCurrPoints:wait()


But really though, you should never trust any values sent in from the client. You should store the points on the server, and never have the client modify points clientside, and send an update in to the server. Instead, you should do it like so:
Say the client wishes to sell a weapon to a shop. Both the server and the client should know how much the client will receive from selling it to the shop.

So then when the client goes to sell it, it should send a request TO the server to sell it(with info on what/who you’re selling to), the server then receives the request, looks up the price it should sell for and gives the points to the player; Running the script above, and sending an update to the client.