Efficiently escaping quotes in C before passing to mysql_query
In a nutshell I typically build a MySQL query within C using sprintf
i.e.
sprintf(sqlcmd,\"update foo set dog=\\\"lab\\\" where description=\\\"%s\\\
-
Although MySQL has a mysql_real_escape_string() function, you should probably be using prepared statements instead, which allow you to use ? placeholders instead of real parameters, and then bind them to the real parameters before each execution of the statement.
讨论(0) -
MySQL does that already for you
http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html
讨论(0) -
I would write a simple escape function like the following:
size_t escape_mysql_string(const char * input, size_t input_size, char * output, size_t output_size) { unsigned long ipos; // position within input buffer unsigned long opos; // position within output buffer // quick check to verify output buffer is at least as large as input buffer if (output_size < (input_size+2)) return(0); // loop through input buffer opos = 0; for(ipos = 0; ((ipos < input_size) && (input[ipos])); ipos++) { // verify that output buffer has room for escaped input if ((opos+2) >= output_size) { output[opos] = '\0'; return(opos); }; switch(input[ipos]) { // escape ("""), ("'"), ("\"), ("%"), and ("_") characters case '\'': case '\"': case '\\': case '%': case '_': output[opos] = '\\'; opos++; output[opos] = input[ipos]; break; // escape newlines case '\n': output[opos] = '\\'; opos++; output[opos] = 'n'; break; // escape carriage returns case '\r': output[opos] = '\\'; opos++; output[opos] = 'r'; break; // escape tabs case '\t': output[opos] = '\\'; opos++; output[opos] = 't'; break; // save unescapd input character default: output[opos] = input[ipos]; break; }; opos++; }; output[opos] ='\0'; return(opos); }The call it with something like the following:
char some_escaped_desc[1024]; escape_mysql_string(some_desc, strlen(some_desc), some_escaped_desc, 1024);讨论(0)
加载中...
- 热议问题