#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    3
    Rep Power
    0

    Libpq and PGconn struct


    Hi guys

    I am using libpq for connecting to PostgreSQL Database.

    But I cant find the description of this PGconn struct anywhere. Also in Postgres's documentation, there is nothing said about it.

    Best wishes
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2008
    Posts
    34
    Rep Power
    0
    PGconn is defined by a typedef; search the header files for the
    structure it's defined to be.

    Here it is....
    libpq-fe.h has typedefed pg_conn as PGConn

    Code:
    typedef struct pg_conn PGconn;
    Check the below link for definition of struct pg_conn

    http://doxygen.postgresql.org/libpq-int_8h-source.html
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    3
    Rep Power
    0
    hi guys
    What I am trying to do is to make some queries to postgresql database using libpq, PQexec funcion.

    generally there is no problem if I am using standard SQL query.
    char* query="INSERT INTO students(id,name, age) values(2,'Chris', 23)";
    PQexec(query);

    But I need to make some values in this query such as name and age to be variables. Program should ask about name and age first and then prepare a statement and send it.

    Suppose if I write this:
    char *query="INSERT INTO student(id,name,age) values(2,";
    char *name="Chris";
    char *end="')";

    Is there any function which allows me to concatenate those two or more strings in one string and then make a query to database? Is there any function which converts integer to string?

    Best wishes
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2008
    Posts
    34
    Rep Power
    0
    Try this code

    Code:
    #define MAX_QUERY_LEN   3000
    char *query;
    char *name="Chris";
    int    age = 25;
    char *end="')";
    
    query = (char*)malloc(MAX_QUERY_LEN * sizeof(char));
    sprintf(query,"INSERT INTO student(id,name,age) values(2,'%s',%d )", name, age);
    Character field should be within single quotes.
  8. #5
  9. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,671
    Rep Power
    4273
    It is better to use snprintf() instead of sprintf(). That way you can control how much is written to the string and also detect if it would have overflowed the string.
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    3
    Rep Power
    0
    hi guys

    That's working, but when I try to use scanf("%s",&name) it doesnt work.
    char * query;
    char * name;
    scanf("%s",&name);
    sprinf(query, "SELECT * FROM '%s'",name);

    I've got a memory protect error.

    Thanks in advance
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2008
    Posts
    34
    Rep Power
    0
    czildren,

    query and name variables are pointers and hence they need to allocated enough memory before using them.
    Code:
    query = (char*)malloc(MAX_QUERY_LEN * sizeof(char));
    name = (char*)malloc(MAX_NAME_LEN * sizeof(char));
  14. #8
  15. Commie Mutant Traitor
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jun 2004
    Location
    Alpharetta, GA
    Posts
    1,808
    Rep Power
    1570
    I'm concerned here about one last part of this... while all of the examples you gave used constant strings, the question leads me to think that the actual name field would be from user input. Concatenating user data into a SQL query leaves you vulnerable to 'SQL injection', especially if you aren't vetting the data in some way first.

    While SQL injection attacks are mostly associated with web-based queries, they can occur any time you paste data from input directly into a query. I recommend using PQexecParams() rather than PQexec(), as it ensures that data entered are passed to the DBMS in such a way that it cannot spoof the query. Better still would be to use PQprepare()
    Code:
        PGresult* result = NULL;
    /* .. */
        result = PQprepare(dbconn, "AddStudent", "INSERT INTO students(id,name, age) values($1, $2, $3)", 3, NULL);
    
        if ( /* ...results are valid... */ )  
        {
            /* ... prepare the array of parameter values... */
            PQexecPrepared(dbconn, "AddStudent", 3, params, plens, pformats, rformat);
        }
    This is only a general outline; you'd have to work out how you would need to use it. If nothing else, you can avoid most of the business of string concatenation.
    Last edited by Schol-R-LEA; June 7th, 2009 at 12:26 PM.
    Rev First Speaker Schol-R-LEA;2 JAM LCF ELF KoR KCO BiWM TGIF
    #define KINSEY (rand() % 7) λ Scheme is the Red Pill
    Scheme in Short Understanding the C/C++ Preprocessor
    Taming Python A Highly Opinionated Review of Programming Languages for the Novice, v1.1

    FOR SALE: One ShapeSystem 2300 CMD, extensively modified for human use. Includes s/w for anthro, transgender, sex-appeal enhance, & Gillian Anderson and Jason D. Poit clone forms. Some wear. $4500 obo. tverres@et.ins.gov

IMN logo majestic logo threadwatch logo seochat tools logo