Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
723 views
in Technique[技术] by (71.8m points)

mysql - Preventing SQL Injection in C

I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it.

Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such:

char *query;
asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);

If I am unable to do this, then I must need to filter the user input. How should this filtering be done? Is it enough to just remove all 's and "s? (Valid inputs cannot contain them). If so, what is the easiest way of doing this in C?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I believe that you want to use prepared statements and parameter binding. Do not directly interpolate user data into your queries. See the MySQL manual for info on this.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...