Max
Max

Reputation: 395

how to build sql queries using c

I was wondering if it is possible to build a string with the following code

char query[512];
char *insert = "insert into tableName values("%s, "%s");"
strcpy(query, insert);
method("max", "1234"); //function which adds values inro %s

My questions, how can I add another char array into in place of %s if it is possible? Thanks beforehand.

Upvotes: 1

Views: 573

Answers (1)

jobinrjohnson
jobinrjohnson

Reputation: 558

use sprintf() so that you can replace the %s with char array https://linux.die.net/man/3/sprintf

char query[512];
char *insert = "insert into tableName values(\'%s\',\'%s\');";
sprintf(query, insert, "max","234");
printf("%s",query);

This is actually a bad approach. This will introduce SQL Injection vulnerabilities.

Upvotes: 2

Related Questions