传递给之前的mysql_query逃避有效使用C报价 [英] Efficiently escaping quotes in C before passing to mysql_query

问题描述

在简单地说我通常使用的sprintf建立在C中MySQL查询

In a nutshell I typically build a MySQL query within C using sprintf

即

sprintf(sqlcmd,"update foo set dog=\"lab\" where description=\"%s\"",some_desc);
mysql_query(some_conn,sqlcmd);

但是，如果some_desc是这样的疯狂5狗的，那么MySQL服务器的尖叫声，因为它混淆了悬挂的报价。

However if some_desc is something like Crazy 5" Dog, then MySql Server screams, as it's confused over the dangling quote.

最好的就是它，在C，扫描some_desc和取代，还是有MySQL中的函数来包装这更好的...即说明=字符串（疯狂5狗）？

Is it best, within C, to scan some_desc replacing " with "", OR is there a function in MySql to wrap this better... i.e. description=string(Crazy 5" Dog) ?

谢谢！

推荐答案

虽然MySQL有一个<一个href=\"http://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html\">mysql_real_escape_string()功能，你或许应该使用 prepared语句相反，它允许您使用？占位符代替真实参数，然后将它们绑定到语句的每个执行前的实际参数。

Although MySQL has a mysql_real_escape_string() function, you should probably be using prepared statements instead, which allow you to use ? placeholders instead of real parameters, and then bind them to the real parameters before each execution of the statement.

这篇关于传递给之前的mysql_query逃避有效使用C报价的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！