mysql - Efficiently escaping quotes in C before passing to mysql_query

Question

In a nutshell I typically build a MySQL query within C using sprintf

i.e.

sprintf(sqlcmd,"update foo set dog="lab" where description="%s"",some_desc);
mysql_query(some_conn,sqlcmd);

However if some_desc is something like Crazy 5" Dog, then MySql Server screams, as it's confused over the dangling quote.

Is it best, within C, to scan some_desc replacing " with "", OR is there a function in MySql to wrap this better... i.e. description=string(Crazy 5" Dog) ?

Thanks!

Answer 1

Although MySQL has a mysql_real_escape_string() function, you should probably be using prepared statements instead, which allow you to use ? placeholders instead of real parameters, and then bind them to the real parameters before each execution of the statement.