Marco Mac
Reputation: 79
How can I prevent SQL injection in C using a prepared statement?
I have to protect my software from SQL Injection.
Here is an example of my C code:
char myquery[QUERY_LEN];
sprintf(myquery, "select * from patient p where p.id_doc='%s'", us_names[index].name);
if (mysql_query(conn, myquery )) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
I want to use prepared statement, because I read that is the best solution, but I don't understand how it works.
I used Google but I didn't find any example in C.
Can you make me an example with my code?
Upvotes: 1
Views: 4296
Answers (1)
Sebastian
Reputation: 8154
Welcome to SO. You won't find complete examples for your code. Just generic examples. If you want to learn more about prevention of code injection, then google for that topic, not for your specific problem.
Some articles:
- how to prevent SQL Injection in c language?
- SQL Injection Attacks and Some Tips on How to Prevent Them
- SQL Injection Prevention Cheat Sheet
Upvotes: 4
Related Questions
- Syntax error in MySQL prepare statement using C API
- C mysql prepared statement inserting null character
- Using MySQL Prepared Statements and still able to do injection
- how to prevent SQL Injection in c language?
- SQL Injection with Prepared Statements
- How to setup prepared statements for mysql queries in C?
- Using Stored Function with C API & Prepared Statements
- Mysqli prepared statement (SQL injection prevention)
- Using MySQL C API - check success of inserting rows using prepared statements
- Preventing SQL Injection in C