Inserting variable in mysql with visual studio CLR / C

Question

I used mysql connector and extract data from Database in visual studio 2010. Also inserted data successfully as value. But was fail to insert data with variable. Need a help, please.

this one worked.

mysql_query(connect,"INSERT INTO input VALUES(111,'Bangladesh','Khulna','Male','Muhammad Ashikuzzaman KUET','b+')");

But this are not working.

  str="Muhammad Ashikuzzaman KUET";
  mysql_query(connect,"INSERT INTO input VALUES(111,'Bangladesh','Khulna','Male','@str','b+')");
  or
  mysql_query(connect,"INSERT INTO input VALUES(111,'Bangladesh','Khulna','Male',@str,'b+')");

Please suggest a solution.

Answer 1

You have to create the string before calling mysql_query():

char statement[512], *str = "Muhammad Ashikuzzaman KUET";
snprintf(statement, sizeof statement, "INSERT INTO input VALUES(111,'Bangladesh','Khulna','Male','%s','b+')", str);
mysql_query(connect, statement);

Also, be careful when creating those query strings. Don't use functions like sprintf() if you cannot be sure how long the resulting string is. Don't write over the boundaries of the memory segment.

Edit

For precaution, You can use mysql_real_escape_string() additionally if the string usually comes from arbitrary sources:

int insertData(MYSQL *connect, char *str, int str_len) {
    if (str_len < 0) {
        str_len = strlen(str);
    }

    char esc[2 * str_len + 1];
    unsigned long esclen = mysql_real_escape_string(connect, esc, str, str_len);

    char statement[512];
    snprintf(statement, sizeof statement, "INSERT INTO input VALUES(111,'Bangladesh','Khulna','Male','%s','b+')", esc);
    return mysql_query(connect, statement);
}

Also here I've assumed your input string is small enough to fit into 512 characters string. Practically, it won't work. So declare statement length variable according to input string length plus some extra length to fit with the query string together.