Jump to content

  • Log In with Google      Sign In   
  • Create Account


mysql_query in c


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
8 replies to this topic

#1 Landi20   Members   -  Reputation: 163

Like
0Likes
Like

Posted 09 March 2013 - 08:57 AM

i cant put my select work i dont have any error this
this is the code
char Login(MYSQL *conn, MYSQL_RES *res, MYSQL_ROW row,char *user,char *password){conn = mysql_init (NULL);//printf("%s",user);       mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,    opt_db_name, opt_port_num, opt_socket_name, opt_flags);if(mysql_real_query(conn,"SELECT password From User where username='%s';",*user)){        fprintf(stderr, "%s \n", mysql_error(conn));	printf("ERRO %s",mysql_error(conn));        printf("Press any key to continue. . . \n");//        getch();        exit(1);    }     //printf("%s",user); res=mysql_use_result(conn);while((row = mysql_fetch_row(res))!=NULL){ if(strcmp(row[0],password)==0){printf("%s\n",row[0]);printf("DEU\n");exit(1);}elseprintf("ERRO");printf("%s\n",row[0]);mysql_close (conn);exit(1);}}//Connecção a base de dados char connection_database(MYSQL *conn, MYSQL_RES *res, MYSQL_ROW row){conn = mysql_init (NULL);    mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,    opt_db_name, opt_port_num, opt_socket_name, opt_flags);    if(mysql_query(conn, "show tables"))    {        fprintf(stderr, "%s \n", mysql_error(conn));        printf("Press any key to continue. . . \n");//        getch();        exit(1);    }        res = mysql_use_result(conn);     printf("Tables in database\n");    while((row = mysql_fetch_row(res)) != NULL)        printf("%s \n", row[0]);    mysql_close (conn);    printf("Press any key to continue . . . \n");}/*menuprincial(){} */int main (int argc, char *argv[]){    MYSQL *conn; /* pointer to connection handler */    MYSQL_RES *res; /* holds the result set */    MYSQL_ROW row;char password[200]="ola";char user[200]="admin";//connection_database(conn,res,row);    Login(conn,res,row,user,password);    return 0;}


Sponsor:

#2 rip-off   Moderators   -  Reputation: 7632

Like
3Likes
Like

Posted 09 March 2013 - 10:03 AM

Please explain in a lot more detail what you are doing, what is happening in the program, and what is not happening.

 

Unfortunately the forum seems to have eaten the formatting of your code, so it would be a lot of work to reconstruct it manually. Can you post it again, taking care to ensure that the formatting is correct once you've posted.

 

However, I'd recommend you simplify the program first. It appears to be complex, try to simplify the program to the minimum amount required to reproduce the behaviour you're having trouble with. If possible, put all the code inside main(), and only include attempt a single, simple query.

 

One thing I did notice is:

 

mysql_real_query(conn,"SELECT password From User where username='%s';",*user)

This appears to be wrong in two ways.

 

  • The first is that you have a format string mismatch. You are dereferencing "user", yielding a single character, but you are using a format specifier for a NUL terminated character array.

     

     

     


  • The second is that the mysql_real_query documentation says that this function does not take a format string arguments. It takes a string and a length. It just so happens that your *user character can be implicitly treated as a number. But the behaviour is undefined as the number has no relation to the actual length of the string.

     

     

    You'd have to build the query string first, and then pass it (along with the total length) to this function.

     


 

 

Another point for the future, you cannot safely pass user entered data directly in a query. One thing is that the user can add quote characters into their username, and the query will likely fail with a syntax error. Worse, you can end up with security problems, this is called SQL injection. Two solutions are parameterised queries and escaping, the former being harder to mess up.


Edited by rip-off, 09 March 2013 - 10:03 AM.


#3 Landi20   Members   -  Reputation: 163

Like
-5Likes
Like

Posted 09 March 2013 - 11:07 AM

i solve the problem


Edited by Landi20, 09 March 2013 - 12:16 PM.


#4 minibutmany   Members   -  Reputation: 1426

Like
1Likes
Like

Posted 09 March 2013 - 12:25 PM

i solve the problem

How did you go about solving it?

Your solution may be useful to someone with similar issues.


Stay gold, Pony Boy.

#5 Landi20   Members   -  Reputation: 163

Like
0Likes
Like

Posted 10 March 2013 - 08:17 AM

put the query like this and problem solve

char ola[512];
    mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,
    opt_db_name, opt_port_num, opt_socket_name, opt_flags);
snprintf(ola,sizeof ola,"SELECT password From User where username=('%s');",user);
if(mysql_query(conn,ola)){
        fprintf(stderr, "%s \n", mysql_error(conn));
    printf("ERRO %s",mysql_error(conn));
        printf("Press any key to continue. . . \n");
//        getch();
        exit(1);
    }    
res=mysql_use_result(conn);

Edited by Landi20, 10 March 2013 - 08:18 AM.


#6 rip-off   Moderators   -  Reputation: 7632

Like
0Likes
Like

Posted 11 March 2013 - 02:53 PM

While the query may succeed, your updated code does not appear to address some of the other concerns I've raised. In particular, it is still vulnerable to SQL injection.

 

In fact, it introduces* a new issue, where the combined length of the query until the format specifier and the user's name could cause some of the final characters of the query to not be written to the string, again leading to potential syntax errors and related problems.

 

* Well, at the very least it highlights a pre-existing issue


Edited by rip-off, 11 March 2013 - 02:53 PM.


#7 Landi20   Members   -  Reputation: 163

Like
0Likes
Like

Posted 25 July 2013 - 01:15 PM

ok thanks topic can be close



#8 rip-off   Moderators   -  Reputation: 7632

Like
0Likes
Like

Posted 26 July 2013 - 08:36 AM

We don't really "close" topics here. A topic naturally falls out of the active set as the conversation dies down. However, any member should feel free to weigh on on a topic should they feel the answers so far aren't complete, even if the OP has indicated they have "accepted" an answer.

 

That said, replying to excessively old threads is discouraged. The forum software should automatically archive old discussions after a number of months. This is for a few reasons:

  • When a topic is too old, the information that was originally added may be out of date

  • The original posters may no longer be active

  • Some new people come across such topics via a web search, it might not be clear to them that the discussion has died off.

For these reasons, creating a new thread is usually preferred.



#9 Landi20   Members   -  Reputation: 163

Like
0Likes
Like

Posted 26 July 2013 - 03:44 PM

ok thanks






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS