Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
569 views
in Technique[技术] by (71.8m points)

mysql - Efficiently escaping quotes in C before passing to mysql_query

In a nutshell I typically build a MySQL query within C using sprintf

i.e.

sprintf(sqlcmd,"update foo set dog="lab" where description="%s"",some_desc);
mysql_query(some_conn,sqlcmd);

However if some_desc is something like Crazy 5" Dog, then MySql Server screams, as it's confused over the dangling quote.

Is it best, within C, to scan some_desc replacing " with "", OR is there a function in MySql to wrap this better... i.e. description=string(Crazy 5" Dog) ?

Thanks!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Although MySQL has a mysql_real_escape_string() function, you should probably be using prepared statements instead, which allow you to use ? placeholders instead of real parameters, and then bind them to the real parameters before each execution of the statement.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...