Re: Programmers toolkit - C api sprintf-like mysql_query()

From: Lew Pitcher <lew.pitcher_at_digitalfreehold.ca>
Date: Sun, 02 Jul 2017 18:55:26 -0400
Message-ID: <ojbtdm$6f1$1_at_dont-email.me>


[Quoted] Jerry Stuckle wrote:

> On 7/2/2017 3:46 PM, Lew Pitcher wrote:

>> Jerry Stuckle wrote:
>>
>> [snip]
>>
>>> Ensure you call mysql_real_escape_string() for all non-numeric values
>>> that come from external sources.  Failure to do so can lead to a SQL
>>> injection attack.

>>
>> Thanks for the reminder, Jerry.
>>
>> I don't see, however, how that suggestion has anything directly to do
>> with the code I posted, or the implementation pattern it replaces.
>>
>> To me, it is about as helpfull as also reminding everyone who read my
>> post that they must call mysql_init() to obtain a valid dbm handle; it's
>> true, and important, but irrelevant to the current discussion.
>>
>> But, thanks anyway for the reminder.
>>
[snip]
> when add a string value to your INSERT (or any other)
> statement, you need to ensure the string is escaped by
> mysql_real_escape_string().  Your code doesn't do that,

[Quoted] And, neither does a naked call to mysql_query().

[Quoted] And, as I said earlier, my function is intended to substitute for the malloc()/sprintf()/mysql_query()/free() pattern.

As I said, I feel that your comment is about as relevant as an observation that you must first build a dbm handle using mysql_init() before using it in my function; it is both true and important, but irrelevant to the discussion of using one query function to substitute for another.

[Quoted] > which leaves it open to a SQL injection attack.

> Of course, if you BIND values instead, you don't need to escape the > strings.

[Quoted] And, as I said, a prepared statement would be overkill for the situation that I see this function being used in.

[Quoted] If you want to write a query function that either extends mine (by calling mysql_real_escape_string() where necessary, before calling mysql_query() ) or replaces mine (by encapsulating logic to prepare and execute a "prepared statement"), please be my guest.

Anyway, thanks for your feedback.

-- 
Lew Pitcher
"In Skills, We Trust"
PGP public key available upon request
Received on Mon Jul 03 2017 - 00:55:26 CEST

Original text of this message