#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Lithuania
    Posts
    11
    Rep Power
    0

    mysql and characters


    I'm writing program in C which writes _FILENAME_ to mysql database.

    so I got variable (char) 'filename':

    "\\server\directory\file'name'.mp3"

    char *query;
    sprintf (&query, "INSERT INTO db (file) VALUES ('%s')", filename);
    ...

    Then mysql is executing this query, it returns syntax error, becouse query have " ' " character.

    OR in mysql it appears as:

    "\serverdirectoryfilename.mp3"

    Mysql ', \ symbols reads as control characters, so I need replace them to \' and \\ ?

    question:

    * Does anyone have fast plain C function to replace these symbols ?
    * Can I solve this problem by changing mysql query?

    I am using gcc on linux.

    Thanks.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Location
    Flint, MI
    Posts
    328
    Rep Power
    13
    MySQL has a fast function to replace problem characters. It's mysql_real_escape_string, and it's documented in the API documentation.

    All of the string data that you get from the user should be run through this function. Otherwise some wisenheimer can hijack your SQL query to do their own evil.
    Clay Dowling
    Lazarus Notes
    Articles and commentary on web development
    http://www.lazarusid.com/notes/

IMN logo majestic logo threadwatch logo seochat tools logo