How to prepare a C++ string for sql query

Question

I have to prepare strings to be suitable for queries because these strings will be used in the queries as field values. if they contain a ' etc the sql query fails to execute.

I therefore want to replace ' with '' I have seen the code to find and replace a substring with a substring. but I guess the problem is a little tricky because replacing string also contains two single quotes '' replacing one quote ' so when I have to find the next occurance it would encounter a ' which was intentionally replaced.

I am using Sql lite C api and the example query might look like this

 select * from persons where name  = 'John' D'oe'

Since John Doe contain a ' the query will fail , so I want all occurances of ' in the name to replaced with ''

Any ideas how you guys prepares your field values in query to be used in sql ??? may be it's a basic thing but I am not too smart in C/C++.

your help would be very helpful

Answer 1

Use queries with arguments instead of replacing stuff, which could lead to several problems (like SQL injection vulnerabilities).

MySQL example:

sql::Connection *con = ...;
string query = "SELECT * FROM TABLE WHERE ID = ?";
sql::PreparedStatement *prep_stmt = con->prepareStatement(query);
prep_stmt->setInt(1, 1); // Replace first argument with 1
prep_stmt->execute();

This will execute SELECT * FROM TABLE WHERE ID = 1.

EDIT: more info for SQLite prepared statements here and here.

Answer 2

It depends on the SQL Library you are using. Some of them will have the concept of a PreparedStatement, which you will use question marks in place of the variables, then when you set those variables on the statement, it will internally ensure that you cannot inject sql commands.