Re: Programmers toolkit - C api sprintf-like mysql_query()
From: Jerry Stuckle <jstucklex_at_attglobal.net>
Date: Mon, 3 Jul 2017 08:20:42 -0400
Message-ID: <ojdcis$1rq$1_at_jstuckle.eternal-september.org>
>> Jerry Stuckle wrote:
>>
>>> On 7/2/2017 3:46 PM, Lew Pitcher wrote:
>>>> Jerry Stuckle wrote:
>>>>
>>>> [snip]
>>>>
>>>>> Ensure you call mysql_real_escape_string() for all non-numeric values
>>>>> that come from external sources. Failure to do so can lead to a SQL
>>>>> injection attack.
>>>>
>>>> Thanks for the reminder, Jerry.
>>>>
>>>> I don't see, however, how that suggestion has anything directly to do
>>>> with the code I posted, or the implementation pattern it replaces.
>>>>
>>>> To me, it is about as helpfull as also reminding everyone who read my
>>>> post that they must call mysql_init() to obtain a valid dbm handle;
>>>> it's
>>>> true, and important, but irrelevant to the current discussion.
>>>>
>>>> But, thanks anyway for the reminder.
>>>>
>> [snip]
>>> when add a string value to your INSERT (or any other)
>>> statement, you need to ensure the string is escaped by
>>> mysql_real_escape_string(). Your code doesn't do that,
>>
>> And, neither does a naked call to mysql_query().
>>
>> And, as I said earlier, my function is intended to substitute for the
>> malloc()/sprintf()/mysql_query()/free() pattern.
>>
>> As I said, I feel that your comment is about as relevant as an
>> observation
>> that you must first build a dbm handle using mysql_init() before using
>> it in
>> my function; it is both true and important, but irrelevant to the
>> discussion
>> of using one query function to substitute for another.
>>
>>> which leaves it open to a SQL injection attack.
>>
>>
>>
>>> Of course, if you BIND values instead, you don't need to escape the
>>> strings.
>>
>> And, as I said, a prepared statement would be overkill for the situation
>> that I see this function being used in.
>>
>> If you want to write a query function that either extends mine (by
>> calling
>> mysql_real_escape_string() where necessary, before calling
>> mysql_query() )
>> or replaces mine (by encapsulating logic to prepare and execute a
>> "prepared
>> statement"), please be my guest.
>>
>> Anyway, thanks for your feedback.
>>
Date: Mon, 3 Jul 2017 08:20:42 -0400
Message-ID: <ojdcis$1rq$1_at_jstuckle.eternal-september.org>
On 7/3/2017 2:59 AM, The Natural Philosopher wrote:
> On 02/07/17 23:55, Lew Pitcher wrote:
>> Jerry Stuckle wrote:
>>
>>> On 7/2/2017 3:46 PM, Lew Pitcher wrote:
>>>> Jerry Stuckle wrote:
>>>>
>>>> [snip]
>>>>
>>>>> Ensure you call mysql_real_escape_string() for all non-numeric values
>>>>> that come from external sources. Failure to do so can lead to a SQL
>>>>> injection attack.
>>>>
>>>> Thanks for the reminder, Jerry.
>>>>
>>>> I don't see, however, how that suggestion has anything directly to do
>>>> with the code I posted, or the implementation pattern it replaces.
>>>>
>>>> To me, it is about as helpfull as also reminding everyone who read my
>>>> post that they must call mysql_init() to obtain a valid dbm handle;
>>>> it's
>>>> true, and important, but irrelevant to the current discussion.
>>>>
>>>> But, thanks anyway for the reminder.
>>>>
>> [snip]
>>> when add a string value to your INSERT (or any other)
>>> statement, you need to ensure the string is escaped by
>>> mysql_real_escape_string(). Your code doesn't do that,
>>
>> And, neither does a naked call to mysql_query().
>>
>> And, as I said earlier, my function is intended to substitute for the
>> malloc()/sprintf()/mysql_query()/free() pattern.
>>
>> As I said, I feel that your comment is about as relevant as an
>> observation
>> that you must first build a dbm handle using mysql_init() before using
>> it in
>> my function; it is both true and important, but irrelevant to the
>> discussion
>> of using one query function to substitute for another.
>>
>>> which leaves it open to a SQL injection attack.
>>
>>
>>
>>> Of course, if you BIND values instead, you don't need to escape the
>>> strings.
>>
>> And, as I said, a prepared statement would be overkill for the situation
>> that I see this function being used in.
>>
>> If you want to write a query function that either extends mine (by
>> calling
>> mysql_real_escape_string() where necessary, before calling
>> mysql_query() )
>> or replaces mine (by encapsulating logic to prepare and execute a
>> "prepared
>> statement"), please be my guest.
>>
>> Anyway, thanks for your feedback.
>>
> It's Jerry. He can safely be ignored. Attention is all he wants. > > By the way I have done this, but in the end decided against t, > > For one reaosn only. DEbugging. It is veryu useful to print out the > query when the SQL doesnt do what you want. Without doing anything to te > database. > > >
So says the guy who has nothing constructive to add to the conversation but has to say something anyway. We know you are ignorant about programming, and are deathly afraid people will find out who you are. That's why you have to use a 'nym and a fake email address.
Go back to your ditch digging - if you can figure out which end of the shovel to use.
-- ================== Remove the "x" from my email address Jerry Stuckle jstucklex_at_attglobal.net ==================Received on Mon Jul 03 2017 - 14:20:42 CEST