Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
725 views
in Technique[技术] by (71.8m points)

mysql - Preventing SQL Injection in C

I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it.

Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such:

char *query;
asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);

If I am unable to do this, then I must need to filter the user input. How should this filtering be done? Is it enough to just remove all 's and "s? (Valid inputs cannot contain them). If so, what is the easiest way of doing this in C?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I believe that you want to use prepared statements and parameter binding. Do not directly interpolate user data into your queries. See the MySQL manual for info on this.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...