MySQL C API custom values

Question

I have been working with the tutorial on MySQL C API from http://zetcode.com/tutorials/mysqlcapitutorial/ the following example is working fine:

#include <my_global.h>
#include <mysql.h>

int main(int argc, char **argv)
{

MYSQL *conn;

conn = mysql_init(NULL);
mysql_real_connect(conn, "localhost", "zetcode", "passwd", "testdb", 0, NULL, 0);

mysql_query(conn, "CREATE TABLE writers(name VARCHAR(25))");

mysql_query(conn, "INSERT INTO writers VALUES('Leo Tolstoy')");
mysql_query(conn, "INSERT INTO writers VALUES('Jack London')");
mysql_query(conn, "INSERT INTO writers VALUES('Honore de Balzac')");
mysql_query(conn, "INSERT INTO writers VALUES('Lion Feuchtwanger')");
mysql_query(conn, "INSERT INTO writers VALUES('Emile Zola')");

mysql_close(conn);

}

How can i change the code to accept custom values instead of the hardcoded ones, is it possible to replace writers and ex. Leo Tolstoy with a char pointer or something?

Lukáš Lalinský · Accepted Answer · 2009-10-21 08:37:16Z

3

You have basically two options:

You can construct the query yourself, using sprintf. Then you should use mysql_real_escape_string on all your variables, otherwise your code is vulnerable to SQL injection.
You can use prepared statements. The documentation for mysql_stmt_execute has some examples. (this is the better option)

answered Oct 21, 2009 at 8:37

Lukáš Lalinský

41.5k6 gold badges109 silver badges128 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

Svante Over a year ago

Regarding escaping strings, this only applies to user-supplied values. You should take care to differentiate between safe and unsafe data.

Lukáš Lalinský Over a year ago

Well, there are no "safe" data. Either you have variables that come from files, user input, etc. or you have constants in your code. Even with constants, I'd rather let the MySQL client to do the escaping, because it knows better than me what to escape.

Svante · Accepted Answer · 2009-10-21 08:28:36Z

0

You will likely have to compose your strings, e.g. using sprintf().

answered Oct 21, 2009 at 8:28

Svante

51.8k11 gold badges84 silver badges127 bronze badges

Comments

pmg · Accepted Answer · 2009-10-21 08:29:31Z

0

You can probably use sprintf() / snprintf(), as for example:

#include <my_global.h>
#include <mysql.h>

int main(int argc, char **argv)
{
MYSQL *conn;
conn = mysql_init(NULL);
/* error checking missing */
mysql_real_connect(conn, "localhost", "zetcode", "passwd", "testdb", 0, NULL, 0);
/* error checking missing */
mysql_query(conn, "CREATE TABLE writers(name VARCHAR(25))");
/* error checking missing */
do {
    char cmd[1000];
    char *name = "Leo Tolstoy"; /* get from user or file or something */
    snprintf(cmd, 999, "INSERT INTO writers VALUES('%s')", name);
    /* error checking missing */
    mysql_query(conn, cmd);
    /* error checking missing */
} while (0);
mysql_close(conn);
/* error checking missing */
}

answered Oct 21, 2009 at 8:29

pmg

109k14 gold badges132 silver badges203 bronze badges

1 Comment

sbditto85 Over a year ago

Might i add if your going to do it this way and get the input from ... well ... anywhere, your going to want to mysql_real_escape_string all of your variable to make sure that you don't fall victim to a SQL injection attack as stated by @Lukáš Lalinský link

Collectives™ on Stack Overflow

MySQL C API custom values

3 Answers 3

2 Comments

Comments

1 Comment

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

2 Comments

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Related