Sign in to follow this  
Landi20

mysql_query in c

Recommended Posts

Landi20    257
i cant put my select work i dont have any error this
this is the code
char Login(MYSQL *conn, MYSQL_RES *res, MYSQL_ROW row,char *user,char *password){conn = mysql_init (NULL);//printf("%s",user);       mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,    opt_db_name, opt_port_num, opt_socket_name, opt_flags);if(mysql_real_query(conn,"SELECT password From User where username='%s';",*user)){        fprintf(stderr, "%s \n", mysql_error(conn));	printf("ERRO %s",mysql_error(conn));        printf("Press any key to continue. . . \n");//        getch();        exit(1);    }     //printf("%s",user); res=mysql_use_result(conn);while((row = mysql_fetch_row(res))!=NULL){ if(strcmp(row[0],password)==0){printf("%s\n",row[0]);printf("DEU\n");exit(1);}elseprintf("ERRO");printf("%s\n",row[0]);mysql_close (conn);exit(1);}}//Connecção a base de dados char connection_database(MYSQL *conn, MYSQL_RES *res, MYSQL_ROW row){conn = mysql_init (NULL);    mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,    opt_db_name, opt_port_num, opt_socket_name, opt_flags);    if(mysql_query(conn, "show tables"))    {        fprintf(stderr, "%s \n", mysql_error(conn));        printf("Press any key to continue. . . \n");//        getch();        exit(1);    }        res = mysql_use_result(conn);     printf("Tables in database\n");    while((row = mysql_fetch_row(res)) != NULL)        printf("%s \n", row[0]);    mysql_close (conn);    printf("Press any key to continue . . . \n");}/*menuprincial(){} */int main (int argc, char *argv[]){    MYSQL *conn; /* pointer to connection handler */    MYSQL_RES *res; /* holds the result set */    MYSQL_ROW row;char password[200]="ola";char user[200]="admin";//connection_database(conn,res,row);    Login(conn,res,row,user,password);    return 0;}

Share this post


Link to post
Share on other sites
rip-off    10976

Please explain in a lot more detail what you are doing, what is happening in the program, and what is not happening.

 

Unfortunately the forum seems to have eaten the formatting of your code, so it would be a lot of work to reconstruct it manually. Can you post it again, taking care to ensure that the formatting is correct once you've posted.

 

However, I'd recommend you simplify the program first. It appears to be complex, try to simplify the program to the minimum amount required to reproduce the behaviour you're having trouble with. If possible, put all the code inside main(), and only include attempt a single, simple query.

 

One thing I did notice is:

 

mysql_real_query(conn,"SELECT password From User where username='%s';",*user)

This appears to be wrong in two ways.

 

  • The first is that you have a format string mismatch. You are dereferencing "user", yielding a single character, but you are using a format specifier for a NUL terminated character array.

     

     

     

  • The second is that the [url="http://dev.mysql.com/doc/refman/5.0/en/mysql-real-query.html"]mysql_real_query[/url] documentation says that this function does not take a format string arguments. It takes a string and a length. It just so happens that your *user character can be implicitly treated as a number. But the behaviour is undefined as the number has no relation to the actual length of the string.

     

     

    You'd have to build the query string first, and then pass it (along with the total length) to this function.

     

 

 

Another point for the future, you cannot safely pass user entered data directly in a query. One thing is that the user can add quote characters into their username, and the query will likely fail with a syntax error. Worse, you can end up with security problems, this is called [url="http://en.wikipedia.org/wiki/SQL_injection"]SQL injection[/url]. Two solutions are parameterised queries and escaping, the former being harder to mess up.

Edited by rip-off

Share this post


Link to post
Share on other sites
Landi20    257

put the query like this and problem solve

char ola[512];
    mysql_real_connect (conn, opt_host_name, opt_user_name, opt_password,
    opt_db_name, opt_port_num, opt_socket_name, opt_flags);
snprintf(ola,sizeof ola,"SELECT password From User where username=('%s');",user);
if(mysql_query(conn,ola)){
        fprintf(stderr, "%s \n", mysql_error(conn));
    printf("ERRO %s",mysql_error(conn));
        printf("Press any key to continue. . . \n");
//        getch();
        exit(1);
    }    
res=mysql_use_result(conn);
Edited by Landi20

Share this post


Link to post
Share on other sites
rip-off    10976

While the query may succeed, your updated code does not appear to address some of the other concerns I've raised. In particular, it is still vulnerable to SQL injection.

 

In fact, it introduces* a new issue, where the combined length of the query until the format specifier and the user's name could cause some of the final characters of the query to not be written to the string, again leading to potential syntax errors and related problems.

 

* Well, at the very least it highlights a pre-existing issue

Edited by rip-off

Share this post


Link to post
Share on other sites
rip-off    10976

We don't really "close" topics here. A topic naturally falls out of the active set as the conversation dies down. However, any member should feel free to weigh on on a topic should they feel the answers so far aren't complete, even if the OP has indicated they have "accepted" an answer.

 

That said, replying to excessively old threads is discouraged. The forum software should automatically archive old discussions after a number of months. This is for a few reasons:

[list]

[*] When a topic is too old, the information that was originally added may be out of date

[*] The original posters may no longer be active

[*] Some new people come across such topics via a web search, it might not be clear to them that the discussion has died off.

[/list]

For these reasons, creating a new thread is usually preferred.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this