1

I wanted to use mysql_real_escape_string to handle apostrophe, backslashes etc. I searched and found this function 

unsigned long mysql_real_escape_string(MYSQL *mysql, 
     char *to, const char *from, unsigned long length)

But this takes MYSQL *, but I use this code to connect :

        sql::Driver *driver;
        sql::Connection *con;
        sql::Statement *stmt;


        // Create a connection
        driver = get_driver_instance();
        con = driver->connect("tcp://127.0.0.1:3306", "root", "anubha");
        con->setSchema("db");
        stmt = con->createStatement();

So if I don't have a MYSQL *mysql object as the function requires. If I do connection like this :

         MYSQL* conn = mysql_init(NULL);
          mysql_real_connect(conn,"tcp://127.0.0.1:3306", "root", 
          "anubha", "db" ,0,NULL,0);

Then as I have MYSQL* object I can use the function, but should I change the connection code just to use this function. Isn't there another function available ? Also what is the difference between the 2 ways to connect, is it C vs C++ mysql connector api difference ?

Anubha
  • 1,345
  • 6
  • 23
  • 35

1 Answers1

3

You may want to use prepared queries with C++ connector:

sql::Connection *con;
sql::PreparedStatement  *prep_stmt
// ...

prep_stmt = con->prepareStatement("INSERT INTO test(id, label) VALUES (?, ?)");

prep_stmt->setInt(1, 1);
prep_stmt->setString(2, "a");
prep_stmt->execute();

prep_stmt->setInt(1, 2);
prep_stmt->setString(2, "b");
prep_stmt->execute();

delete prep_stmt;
delete con;

http://dev.mysql.com/doc/refman/5.1/en/connector-cpp-examples-prepared-statements.html

Also, yes, mysql_real_* are part of C connector's API, and it is the only difference.

Nemanja Boric
  • 21,627
  • 6
  • 67
  • 91
  • will using prepareStatement handle the escape characters like ' \ etc ? – Anubha Aug 22 '13 at 10:44
  • Yes, it will. http://www.theserverside.com/news/1365244/Why-Prepared-Statements-are-important-and-how-to-use-them-properly – Nemanja Boric Aug 22 '13 at 10:45
  • It is showing warning prep_stmt’ has incomplete type [enabled by default] and throwing error on lines where I use prep_stmt : error: invalid use of incomplete type ‘class sql::PreparedStatement’ – Anubha Aug 22 '13 at 10:54
  • Well, I guess you need to include – Nemanja Boric Aug 22 '13 at 10:56
  • Yes it works, Thanks, But I am wondering if using prepareStatement solves the sql injection and ' \ '' etc issues, why mysql_real_escape_string function exists ? – Anubha Aug 22 '13 at 11:00
  • It solves sql injection, and you can try it for yourself. `mysql_real_escape_string` belongs to C connector's API. Prepared statements are more reliable way to do this. There may even be any escaping, as database knows what fields are data placeholders, so it will never parse it like a part of a command. Take a look into http://stackoverflow.com/questions/732561/why-is-using-a-mysql-prepared-statement-more-secure-than-using-the-common-escape and http://stackoverflow.com/questions/3358950/real-escape-string-vs-prepared-statements. – Nemanja Boric Aug 22 '13 at 11:06