3

Possible Duplicate:
Preventing SQL Injection in C

I know PHP has some built in functions that help to sanitize queries, but does C have anything like that?

snprintf(&buff[0],1023,"UPDATE grades SET grade='%c' WHERE username='%s'",choice,&uname[0]);

if (mysql_query(connect,&buff[0]) != 0) {
  // If it failed, tell the user
  printf("Error: %s!\n", mysql_error(connect));
  return;
}
Community
  • 1
  • 1
Takkun
  • 6,131
  • 16
  • 52
  • 69
  • 2
    I'm almost sure there's some API that supports prepared statements. – cHao Oct 02 '11 at 22:01
  • 1
    As @cHao said, avoid input "sanitization" and go with prepared statements, the C API [supports them](http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html). – Matteo Italia Oct 02 '11 at 22:09

2 Answers2

4

The MySQL C API has a mysql_real_escape_string() function.

Alex
  • 9,313
  • 1
  • 39
  • 44
  • After passing the query through that function, I get... "UPDATE grades SET grade=\'A\' WHERE username=\'student\'" This results in a syntax error when I try to execute it with mysql_query. – Takkun Oct 02 '11 at 22:29
  • I wouldn't recommend using this method of manually escaping strings, because the day you forget to call this is the day you introduce a security problem in your code. Always use prepared statements with bound parameters. – Greg Hewgill Oct 02 '11 at 22:35
1

The C language and runtime have no such routine. Your particular database's particular client library might have something.

bmargulies
  • 97,814
  • 39
  • 186
  • 310