I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it.
Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such:
char *query;
asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);
If I am unable to do this, then I must need to filter the user input. How should this filtering be done? Is it enough to just remove all 's and "s? (Valid inputs cannot contain them). If so, what is the easiest way of doing this in C?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
