RSS Forums RSS
Please support our MySQL advertiser: Programming Forums
Views: 868 | Replies: 7
Reply
Join Date: Jan 2008
Posts: 3
Reputation: shreevidya is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
shreevidya shreevidya is offline Offline
Newbie Poster

joining c variable with mysql

  #1  
Feb 7th, 2008
hi


i am learning to work with mysql and c. i want to select a particular row from database which must be equal to a variable and the variable should be given by user.the program is in c where i use c api to connect sql database. how to join the sql select statement with the c varible which have the value based on which the selec command should work


plz help


thanks
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation: trudge is an unknown quantity at this point 
Rep Power: 2
Solved Threads: 20
trudge trudge is offline Offline
Junior Poster

Re: joining c variable with mysql

  #2  
Feb 10th, 2008
Show us what you have tried so far.

You should ALWAYS sanitize user-supplied data before doing a SELECT to avoid SQL injection exploits.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
Reply With Quote  
Join Date: Jan 2008
Posts: 72
Reputation: gerard4143 is an unknown quantity at this point 
Rep Power: 1
Solved Threads: 9
gerard4143 gerard4143 is offline Offline
Junior Poster in Training

Re: joining c variable with mysql

  #3  
Feb 10th, 2008
Just build a character array based on user input then pass it to mysql.

char querystring[100];

mysql_query(conn, querystring);

this is the easiest way.
Last edited by gerard4143 : Feb 10th, 2008 at 8:25 pm.
Reply With Quote  
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation: trudge is an unknown quantity at this point 
Rep Power: 2
Solved Threads: 20
trudge trudge is offline Offline
Junior Poster

Re: joining c variable with mysql

  #4  
Feb 10th, 2008
Originally Posted by gerard4143 View Post
Just build a character array based on user input then pass it to mysql.

char querystring[100];

mysql_query(conn, querystring);

this is the easiest way.


And what if querystring contains 
SELECT whatever 
FROM table
WHERE field = 'something' or 'x' ='x'

That will always return TRUE, which is what an SQL injection attack is.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
Reply With Quote  
Join Date: Jan 2008
Posts: 72
Reputation: gerard4143 is an unknown quantity at this point 
Rep Power: 1
Solved Threads: 9
gerard4143 gerard4143 is offline Offline
Junior Poster in Training

Re: joining c variable with mysql

  #5  
Feb 11th, 2008
Originally Posted by trudge View Post
That will always return TRUE, which is what an SQL injection attack is.


I'm not sure what an SQL injection attack is but I have produced dynamic query strings for mysql in c/c++ and its not that hard. The way I did (in c++) was to create a string class and use this to build my query string and then pass it to the mysql function. If you are using c you should read up on the string library that might help.
Reply With Quote  
Join Date: Jan 2008
Posts: 72
Reputation: gerard4143 is an unknown quantity at this point 
Rep Power: 1
Solved Threads: 9
gerard4143 gerard4143 is offline Offline
Junior Poster in Training

Re: joining c variable with mysql

  #6  
Feb 11th, 2008 
#include <stdio.h>

int main (int argc, char**argv)
{
	char ch[] = "this is a string\n";
	char ch2[] = "this is a string with 'embedded' quotes\n";

	printf ("%s",ch);
	printf ("%s",ch2);
	return 0;
}

If you need to see how to embedded quotes in a string see above
Note you really should have posted this on the c page
Last edited by gerard4143 : Feb 11th, 2008 at 1:13 am.
Reply With Quote  
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation: trudge is an unknown quantity at this point 
Rep Power: 2
Solved Threads: 20
trudge trudge is offline Offline
Junior Poster

Re: joining c variable with mysql

  #7  
Feb 11th, 2008
Originally Posted by gerard4143 View Post
I'm not sure what an SQL injection attack is


If you don't know what an SQL Injection attack is then you would be wise do look it up. Especially if you are producing web-based access to a database for a client. How would your client feel about you, if using your script someone accessed all their data and stole it? I gave you a simple example of how the injection attack works in my previous post. It is usually thwarted by using place holders in the query (from a Perl perspective) but I leave it up to you to figure out how to do that in C (not c) and MySQL (not mysql).

If you don't understand how an attack works, how can you protect against it?

And, it doesn't matter what language you use to query the database - it's the SQL query you have to worry about.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
Reply With Quote  
Join Date: Jan 2008
Posts: 72
Reputation: gerard4143 is an unknown quantity at this point 
Rep Power: 1
Solved Threads: 9
gerard4143 gerard4143 is offline Offline
Junior Poster in Training

Re: joining c variable with mysql

  #8  
Feb 11th, 2008
Did look it up. Interesting topic. Just finished writing a c program to implement mysql_real_escape_string the mysql cure for SQL injection. Its a little rough right now but it works.
Reply With Quote  
Reply

Quick Reply to Thread

Only community members can participate in forum threads. You must register or log in to contribute.

Register
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

Thread Tools Display Modes
Linear Mode Linear Mode
Forums | Blogs | Tutorials | Code Snippets | Whitepapers | RSS Feeds | Advertising
All times are GMT -4. The time now is 3:07 pm.
Newsletter Archive - Sitemap - Privacy Statement - Acceptable Use Policy - Contact Us
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC