4

I currently use c language to process the http event, and I need to do the SQL operation with mysql, then how to prevent the SQL injection, is there any c library for that,thank you?

user440446
  • 417
  • 1
  • 5
  • 11
  • 4
    Welcome to Stack Overflow! Please be sure to "accept" correct answers to your questions that you've found helpful by clicking the green check mark next to them; otherwise, people will be disinclined to continue providing answers for you. – Adam Rosenfield Jun 29 '11 at 02:35
  • 8 Questions : 0 Selected Answers : 1 Waste of time --- is that why you have a question mark after `thank you`? – vol7ron Jun 29 '11 at 02:45
  • 1
    How are you *currently* connecting to MySQL does *that library* have any support for *parametrized queries*? (One *huge way* to increase security is to use a language -- Scala, Ruby, Python, C#, Java, etc. -- where you don't need to worry about buffer overflow exploits [or accidents] ;-) –  Jun 29 '11 at 02:48
  • I think this question too general which makes me want to flag it but I will not.And check this question for further steps which you may need help for specific SQL Injection Prevention [Preventing SQL Injection in C.](http://stackoverflow.com/questions/5827344/preventing-sql-injection-in-c) – Bastardo Jun 29 '11 at 23:04

2 Answers2

3

SQL Injection Attacks and Some Tips on How to Prevent Them

asling
  • 41
  • 2
  • 1
    An interesting read. However, consider adding more to the reply then just a link -- a brief except, quote, summary, or experience will make the answer much better. As it is now, it may as well just a comment. Also, any thing for a C-specific mysql binding? –  Jun 29 '11 at 02:47
2

The way you prevent SQL injection (or shell escape injection, etc.) is not passing unquoted literal strings to an interface that treats some characters as special. You need to transform string data to a safe quoted form before including it as part of a larger "command string" that will be interpreted by an SQL database, shell, external command, API that takes URI strings, etc.

R.. GitHub STOP HELPING ICE
  • 208,859
  • 35
  • 376
  • 711
  • To be more concrete: not write your own SQL escape routines. use `mysql_real_escape_string()`. http://stackoverflow.com/questions/7839734/efficiently-escaping-quotes-in-c-before-passing-to-mysql-query/7840304#7840304 – BraveNewCurrency Nov 05 '13 at 03:03