Jump to content

  • Log In with Google      Sign In   
  • Create Account

#Actualrip-off

Posted 09 March 2013 - 10:03 AM

Please explain in a lot more detail what you are doing, what is happening in the program, and what is not happening.

 

Unfortunately the forum seems to have eaten the formatting of your code, so it would be a lot of work to reconstruct it manually. Can you post it again, taking care to ensure that the formatting is correct once you've posted.

 

However, I'd recommend you simplify the program first. It appears to be complex, try to simplify the program to the minimum amount required to reproduce the behaviour you're having trouble with. If possible, put all the code inside main(), and only include attempt a single, simple query.

 

One thing I did notice is:

 

mysql_real_query(conn,"SELECT password From User where username='%s';",*user)

This appears to be wrong in two ways.

 

  • The first is that you have a format string mismatch. You are dereferencing "user", yielding a single character, but you are using a format specifier for a NUL terminated character array.

     

     

     


  • The second is that the mysql_real_query documentation says that this function does not take a format string arguments. It takes a string and a length. It just so happens that your *user character can be implicitly treated as a number. But the behaviour is undefined as the number has no relation to the actual length of the string.

     

     

    You'd have to build the query string first, and then pass it (along with the total length) to this function.

     


 

 

Another point for the future, you cannot safely pass user entered data directly in a query. One thing is that the user can add quote characters into their username, and the query will likely fail with a syntax error. Worse, you can end up with security problems, this is called SQL injection. Two solutions are parameterised queries and escaping, the former being harder to mess up.


#1rip-off

Posted 09 March 2013 - 10:03 AM

Please explain in a lot more detail what you are doing, what is happening in the program, and what is not happening.

 

Unfortunately the forum seems to have eaten the formatting of your code, so it would be a lot of work to reconstruct it manually. Can you post it again, taking care to ensure that the formatting is correct once you've posted.

 

However, I'd recommend you simplify the program first. It appears to be complex, try to simplify the program to the minimum amount required to reproduce the behaviour you're having trouble with. If possible, put all the code inside main(), and only include attempt a single, simple query.

 

One thing I did notice is:

mysql_real_query(conn,"SELECT password From User where username='%s';",*user)

This appears to be wrong in two ways.

  • The first is that you have a format string mismatch. You are dereferencing "user", yielding a single character, but you are using a format specifier for a NUL terminated character array.

     

  • The second is that the mysql_real_query documentation says that this function does not take a format string arguments. It takes a string and a length. It just so happens that your *user character can be implicitly treated as a number. But the behaviour is undefined as the number has no relation to the actual length of the string.

     

    You'd have to build the query string first, and then pass it (along with the total length) to this function.

 

Another point for the future, you cannot safely pass user entered data directly in a query. One thing is that the user can add quote characters into their username, and the query will likely fail with a syntax error. Worse, you can end up with security problems, this is called SQL injection. Two solutions are parameterised queries and escaping, the former being harder to mess up.


PARTNERS