hi


i am learning to work with mysql and c. i want to select a particular row from database which must be equal to a variable and the variable should be given by user.the program is in c where i use c api to connect sql database. how to join the sql select statement with the c varible which have the value based on which the selec command should work


plz help


thanks

Show us what you have tried so far.

You should ALWAYS sanitize user-supplied data before doing a SELECT to avoid SQL injection exploits.

Just build a character array based on user input then pass it to mysql.

char querystring[100];

mysql_query(conn, querystring);

this is the easiest way.

Just build a character array based on user input then pass it to mysql.

char querystring[100];

mysql_query(conn, querystring);

this is the easiest way.

And what if querystring contains

SELECT whatever 
FROM table
WHERE field = 'something' or 'x' ='x'

That will always return TRUE, which is what an SQL injection attack is.

That will always return TRUE, which is what an SQL injection attack is.

I'm not sure what an SQL injection attack is but I have produced dynamic query strings for mysql in c/c++ and its not that hard. The way I did (in c++) was to create a string class and use this to build my query string and then pass it to the mysql function. If you are using c you should read up on the string library that might help.

#include <stdio.h>

int main (int argc, char**argv)
{
	char ch[] = "this is a string\n";
	char ch2[] = "this is a string with 'embedded' quotes\n";

	printf ("%s",ch);
	printf ("%s",ch2);
	return 0;
}

If you need to see how to embedded quotes in a string see above
Note you really should have posted this on the c page

I'm not sure what an SQL injection attack is

If you don't know what an SQL Injection attack is then you would be wise do look it up. Especially if you are producing web-based access to a database for a client. How would your client feel about you, if using your script someone accessed all their data and stole it? I gave you a simple example of how the injection attack works in my previous post. It is usually thwarted by using place holders in the query (from a Perl perspective) but I leave it up to you to figure out how to do that in C (not c) and MySQL (not mysql).

If you don't understand how an attack works, how can you protect against it?

And, it doesn't matter what language you use to query the database - it's the SQL query you have to worry about.

Did look it up. Interesting topic. Just finished writing a c program to implement mysql_real_escape_string the mysql cure for SQL injection. Its a little rough right now but it works.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.