MySQL Escape String & Prepared Statements

My first question would be is there any module/function that allows prepared statements? If not, for example, would the following MySQL statement’s string need to be escaped?


"INSERT INTO exempt (player, steamid, type, admin, expires, expire_time, reason, time) VALUES ("..player.GetBySteamID(targetPly)..", "..targetPly..", "..type..", "..callingPly:Nick()..", "..if expireTime = nil || "forever" then return 0 else return 1 end..", "..CheckTime(expireTime)..", "..reason..", "..tonumber(os.time())..")"

If someone could explain how this stops someone from doing something malicious, that would be great because I’ve always used prepared statements instead of escaped strings.

http://forum.facepunch.com/showthread.php?t=1515853

gmsv_mysqloo v9 will do both.

Also, why are you storing a player entity in a database (or the string of it rather)?

You’ll want to escape the player name, reason, any text fields that are coming from a user.

Thanks for pointing out that I wasn’t storing the player’s name. I wouldn’t have caught that.