At 03:04 2001-09-05 -0700, George Greer wrote:
>On Wed, 5 Sep 2001, Artovil wrote:
>
> >Well, I thought about mysql_real_escape_string() as well before I
> >emailed, but to structure a query that has 68 columns in that manner
> >would take a bzillion lines of code. Are you sure that this is the only
> >way to do it? I can't use the sprintf?
>
>68 columns you're searching by or retrieving? If you're really searching
>by 68 columns something is very wrong. If you're retrieving, then the SQL
>database should unquote it for you.
It is an INSERT, the example I sent first illustrated this. I am inserting
with 68 columns. So I have to escape. I am not database stupid, I am code
stupid. There's a fine difference, and I hope it is clear enough now. ;)
> >Which is best, to do the 68 column query with mysql_real_escape_string()
> >and have about 136 *end++='\'' and 67 *end++=',' in there, or to use 68
> >temporary chars and just use sprintf() to put it all together?
>
>The '*end++' stuff in the example was to add some escape characters for
>demonstrations.
I am not sure if I understand you correctly here. Don't I have to add the
quotes like that since I am processing the strings with
mysql_real_escape_string()? Or am I entirely missing something? I do not
want to escape the quotes around the string, I want to escape the quotes
inside the string.
To clear up any semantical errors:
Correct:
INSERT INTO player_index (Name, Title) VALUES('George', 'George\'s the best!');
Broken:
INSERT INTO player_index (Name, Title) VALUES('George', 'George's the best!');
Even more broken:
INSERT INTO player_index (Name, Title) VALUES(\'George\', \'George\'s the
best!\');
So if I ran mysql_real_escape_string() on the whole string, it would escape
even the quotes around the strings, correct? That is undesireable, to say
the least. Or is it so smart that it actually sees what is a string quote,
and what is a quote within a string? The way I understood the example on
the MySQL page was that you had to put in the quotes yourself, that was how
the example itself was structured.
> >What if I had to loop something over, like player affects, and
> >concatenated insert strings together, and then ran that query? Which
> >option would be best then?
>
>Probably:
>
> strcpy(query, "SELECT ..."); // start it
> mysql_real_escape_string(handle, temp, quoteme, strlen(quoteme));
> strcat(query, temp);
> ...
>
>However, the correct answer for 68 query items is probably Don'tDoThat(tm).
Hehe. Well, I generally tend to narrow my SELECT's down to one or two
search items. If I can't do that, I tend to redesign my database so that I
can. It wasn't the database that was at fault, it was my coding skills.
> >And why is it so hard to use some kind of function inside a sprintf that
> >strips the ' and replaces them with \' instead? The one I had was
> >obviously wrong, but you never said what was wrong with it or why, you
> >just said it was due to lack of understanding static. That answer would
> >make sense if I actually DID understand static, but since I don't, you
> >know where this is all going...
>
>Only one static buffer exists by that name so your calls clobber each
>other. You need either a master temporary buffer or 68 little ones for
>each.
How would I do the master temp buffer?
Which is to prefer from a memory/speed point of view? Would the 68 little
ones suck up memory and not free it or something, or how does all this
work? I am not good with that kind of C code.
Kindest regards,
/Artovil
--
+---------------------------------------------------------------+
| FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
| Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
+---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/06/01 PST