•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the MySQL section within the Web Development category of DaniWeb, a massive community of 428,628 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,017 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our MySQL advertiser: Programming Forums
Views: 744 | Replies: 7
 |
•
•
Join Date: Jan 2008
Posts: 3
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
hi
i am learning to work with mysql and c. i want to select a particular row from database which must be equal to a variable and the variable should be given by user.the program is in c where i use c api to connect sql database. how to join the sql select statement with the c varible which have the value based on which the selec command should work
plz help
thanks
i am learning to work with mysql and c. i want to select a particular row from database which must be equal to a variable and the variable should be given by user.the program is in c where i use c api to connect sql database. how to join the sql select statement with the c varible which have the value based on which the selec command should work
plz help
thanks
•
•
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation:
Rep Power: 2
Solved Threads: 20
Junior Poster
Show us what you have tried so far.
You should ALWAYS sanitize user-supplied data before doing a SELECT to avoid SQL injection exploits.
You should ALWAYS sanitize user-supplied data before doing a SELECT to avoid SQL injection exploits.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
"Others make web sites. We make web sites work!"
•
•
Join Date: Jan 2008
Posts: 72
Reputation:
Rep Power: 1
Solved Threads: 9
Junior Poster in Training
Just build a character array based on user input then pass it to mysql.
char querystring[100];
mysql_query(conn, querystring);
this is the easiest way.
char querystring[100];
mysql_query(conn, querystring);
this is the easiest way.
Last edited by gerard4143 : Feb 10th, 2008 at 7:25 pm.
•
•
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation:
Rep Power: 2
Solved Threads: 20
Junior Poster
•
•
•
•
Originally Posted by gerard4143 
Just build a character array based on user input then pass it to mysql.
char querystring[100];
mysql_query(conn, querystring);
this is the easiest way.
And what if querystring contains
SELECT whatever FROM table WHERE field = 'something' or 'x' ='x'
That will always return TRUE, which is what an SQL injection attack is.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
"Others make web sites. We make web sites work!"
•
•
Join Date: Jan 2008
Posts: 72
Reputation:
Rep Power: 1
Solved Threads: 9
Junior Poster in Training
•
•
•
•
Originally Posted by trudge
That will always return TRUE, which is what an SQL injection attack is.
I'm not sure what an SQL injection attack is but I have produced dynamic query strings for mysql in c/c++ and its not that hard. The way I did (in c++) was to create a string class and use this to build my query string and then pass it to the mysql function. If you are using c you should read up on the string library that might help.
•
•
Join Date: Jan 2008
Posts: 72
Reputation:
Rep Power: 1
Solved Threads: 9
Junior Poster in Training
#include <stdio.h>
int main (int argc, char**argv)
{
char ch[] = "this is a string\n";
char ch2[] = "this is a string with 'embedded' quotes\n";
printf ("%s",ch);
printf ("%s",ch2);
return 0;
}
If you need to see how to embedded quotes in a string see above
Note you really should have posted this on the c page
Last edited by gerard4143 : Feb 11th, 2008 at 12:13 am.
•
•
Join Date: Sep 2007
Location: North Bay Ontario
Posts: 176
Reputation:
Rep Power: 2
Solved Threads: 20
Junior Poster
•
•
•
•
Originally Posted by gerard4143
I'm not sure what an SQL injection attack is
If you don't know what an SQL Injection attack is then you would be wise do look it up. Especially if you are producing web-based access to a database for a client. How would your client feel about you, if using your script someone accessed all their data and stole it? I gave you a simple example of how the injection attack works in my previous post. It is usually thwarted by using place holders in the query (from a Perl perspective) but I leave it up to you to figure out how to do that in C (not c) and MySQL (not mysql).
If you don't understand how an attack works, how can you protect against it?
And, it doesn't matter what language you use to query the database - it's the SQL query you have to worry about.
Amer Neely - Web Mechanic
"Others make web sites. We make web sites work!"
"Others make web sites. We make web sites work!"
|
•
•
•
•
•
•
•
•
DaniWeb MySQL Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
Other Threads in the MySQL Forum
- Previous Thread: Help with SQL Statement Please
- Next Thread: Querying vertically-large tables. optimization ideas?
