Re: [CODE] calling char function from sprintf

From: George Greer (
Date: 09/05/01

On Wed, 5 Sep 2001, Artovil wrote:

>When I use it in a sprintf all the values set with the char function end up
>being the same.  What am I doing wrong?

Fundamental lack of understanding of 'static' I'd say.
See your MySQL's: manual_toc.html#mysql_real_escape_string

  23.4.42 mysql_real_escape_string()

   unsigned int mysql_real_escape_string(MYSQL *mysql, char *to, const char
*from, unsigned int length) Description

   This function is used to create a legal SQL string that you can use in a
SQL statement. See section 7.1.1 Strings.

   The  string  in from is encoded to an escaped SQL string, taking into
account the current character set of the connection.
   The result is placed in to and a terminating null byte is
appended. Characters encoded are NUL (ASCII 0), `\n', `\r', `\',
   `'', `"', and Control-Z (see section 7.1 Literals: How to Write Strings
and Numbers).

   The  string  pointed to by from must be length bytes long. You must
allocate the to buffer to be at least length*2+1 bytes
   long.  (In the worse case, each character may need to be encoded as
using two bytes, and you need room for the terminating
   null  byte.)  When mysql_escape_string() returns, the contents of to
will be a null-terminated string. The return value is
   the length of the encoded string, not including the terminating null
character. Example

char query[1000],*end;

end = strmov(query,"INSERT INTO test_table values(");
*end++ = '\'';
end += mysql_real_escape_string(&mysql, end,"What's this",11);
*end++ = '\'';
*end++ = ',';
*end++ = '\'';
end += mysql_real_escape_string(&mysql, end,"binary data: \0\r\n",16);
*end++ = '\'';
*end++ = ')';

if (mysql_real_query(&mysql,query,(unsigned int) (end - query)))
   fprintf(stderr, "Failed to insert row, Error: %s\n",

   The  strmov()  function  used  in the example is included in the
mysqlclient library and works like strcpy() but returns a
   pointer to the terminating null of the first parameter.

You should use that function instead of trying to write your own.  You'll
need '-lmysqlclient' to LIBS= in Makefile if you're not already using it.

You might also be able to temporarily override sprintf()'s '%s' specifier
to use mysql_real_escape_string() but you'll need a lot of experience (and
Linux glibc 2) to do that. I'm rather fond of Perl's handling of string

        $cur = $dbh->prepare('SELECT * FROM table WHERE foo=? AND bar=?');
        $cur->execute($foovalue, $barvalue);

I'd write a varargs wrapper to do that in C if I was using SQL.

George Greer

   | FAQ: |
   | Archives: |

This archive was generated by hypermail 2b30 : 12/06/01 PST