Re: Programmers toolkit - C api sprintf-like mysql_query()
From: Jerry Stuckle <jstucklex_at_attglobal.net>
Date: Sun, 2 Jul 2017 18:19:23 -0400
Message-ID: <ojbr9i$v7$1_at_jstuckle.eternal-september.org>
>
> Thanks for the reminder, Jerry.
>
> I don't see, however, how that suggestion has anything directly to do with
> the code I posted, or the implementation pattern it replaces.
>
> To me, it is about as helpfull as also reminding everyone who read my post
> that they must call mysql_init() to obtain a valid dbm handle; it's true,
> and important, but irrelevant to the current discussion.
>
> But, thanks anyway for the reminder.
>
Date: Sun, 2 Jul 2017 18:19:23 -0400
Message-ID: <ojbr9i$v7$1_at_jstuckle.eternal-september.org>
On 7/2/2017 3:46 PM, Lew Pitcher wrote:
> Jerry Stuckle wrote:
>
> [snip]
>
>> Ensure you call mysql_real_escape_string() for all non-numeric values >> that come from external sources. Failure to do so can lead to a SQL >> injection attack.
>
> Thanks for the reminder, Jerry.
>
> I don't see, however, how that suggestion has anything directly to do with
> the code I posted, or the implementation pattern it replaces.
>
> To me, it is about as helpfull as also reminding everyone who read my post
> that they must call mysql_init() to obtain a valid dbm handle; it's true,
> and important, but irrelevant to the current discussion.
>
> But, thanks anyway for the reminder.
>
It is, because when add a string value to your INSERT (or any other) statement, you need to ensure the string is escaped by mysql_real_escape_string(). Your code doesn't do that, which leaves it open to a SQL injection attack.
Of course, if you BIND values instead, you don't need to escape the strings.
-- ================== Remove the "x" from my email address Jerry Stuckle jstucklex_at_attglobal.net ==================Received on Mon Jul 03 2017 - 00:19:23 CEST