Efficiently escaping quotes in C before passing to mysql_query

Question

In a nutshell I typically build a MySQL query within C using sprintf

i.e.

sprintf(sqlcmd,\"update foo set dog=\\\"lab\\\" where description=\\\"%s\\\         


        

Answer 1

Although MySQL has a mysql_real_escape_string() function, you should probably be using prepared statements instead, which allow you to use ? placeholders instead of real parameters, and then bind them to the real parameters before each execution of the statement.