Re: Programmers toolkit - C api sprintf-like mysql_query()
From: The Natural Philosopher <tnp_at_invalid.invalid>
Date: Mon, 3 Jul 2017 07:59:46 +0100
Message-ID: <ojcppv$6jo$1_at_dont-email.me>
> [snip]
>
> And, neither does a naked call to mysql_query().
>
> And, as I said earlier, my function is intended to substitute for the
> malloc()/sprintf()/mysql_query()/free() pattern.
>
> As I said, I feel that your comment is about as relevant as an observation
> that you must first build a dbm handle using mysql_init() before using it in
> my function; it is both true and important, but irrelevant to the discussion
> of using one query function to substitute for another.
>
>
>
>
>
> And, as I said, a prepared statement would be overkill for the situation
> that I see this function being used in.
>
> If you want to write a query function that either extends mine (by calling
> mysql_real_escape_string() where necessary, before calling mysql_query() )
> or replaces mine (by encapsulating logic to prepare and execute a "prepared
> statement"), please be my guest.
>
> Anyway, thanks for your feedback.
>
It's Jerry. He can safely be ignored. Attention is all he wants.
Date: Mon, 3 Jul 2017 07:59:46 +0100
Message-ID: <ojcppv$6jo$1_at_dont-email.me>
On 02/07/17 23:55, Lew Pitcher wrote:
> Jerry Stuckle wrote:
>
[Quoted] >> On 7/2/2017 3:46 PM, Lew Pitcher wrote: >>> Jerry Stuckle wrote: >>> >>> [snip] >>> >>>> Ensure you call mysql_real_escape_string() for all non-numeric values >>>> that come from external sources. Failure to do so can lead to a SQL >>>> injection attack. >>> >>> Thanks for the reminder, Jerry. >>> >>> I don't see, however, how that suggestion has anything directly to do >>> with the code I posted, or the implementation pattern it replaces. >>> >>> To me, it is about as helpfull as also reminding everyone who read my >>> post that they must call mysql_init() to obtain a valid dbm handle; it's >>> true, and important, but irrelevant to the current discussion. >>> >>> But, thanks anyway for the reminder. >>>
> [snip]
>> when add a string value to your INSERT (or any other) >> statement, you need to ensure the string is escaped by >> mysql_real_escape_string(). Your code doesn't do that,
>
> And, neither does a naked call to mysql_query().
>
> And, as I said earlier, my function is intended to substitute for the
> malloc()/sprintf()/mysql_query()/free() pattern.
>
> As I said, I feel that your comment is about as relevant as an observation
> that you must first build a dbm handle using mysql_init() before using it in
> my function; it is both true and important, but irrelevant to the discussion
> of using one query function to substitute for another.
>
>> which leaves it open to a SQL injection attack.
>
>
>
>> Of course, if you BIND values instead, you don't need to escape the >> strings.
>
> And, as I said, a prepared statement would be overkill for the situation
> that I see this function being used in.
>
> If you want to write a query function that either extends mine (by calling
> mysql_real_escape_string() where necessary, before calling mysql_query() )
> or replaces mine (by encapsulating logic to prepare and execute a "prepared
> statement"), please be my guest.
>
> Anyway, thanks for your feedback.
>
It's Jerry. He can safely be ignored. Attention is all he wants.
By the way I have done this, but in the end decided against t,
For one reaosn only. DEbugging. It is veryu useful to print out the query when the SQL doesnt do what you want. Without doing anything to te database.
-- Religion is regarded by the common people as true, by the wise as foolish, and by the rulers as useful. (Seneca the Younger, 65 AD)Received on Mon Jul 03 2017 - 08:59:46 CEST