I a C program I have a function that takes in parameter a domain name:
void db_domains_query(char *name);
With mysql_query() I test if the domain name is existing in a database. If it's not the case, I insert the new domain name:
...
char *query[400];
sprintf(query, "SELECT Id, DomainName FROM domains WHERE domainName LIKE '%s'", name);
if (mysql_query(con, query))
finish_with_error(con);
MYSQL_RES *result = mysql_store_result(con);
if (result == NULL)
finish_with_error(con);
MYSQL_ROW row;
if ((row = mysql_fetch_row(result)))
printf("Element exists : %s %s\n", row[0], row[1]);
else
printf("Element %s doesn't found\n", name);
// Then insert the new domain name ...
This portion of code works perfectly if name contains only "normal characters". However, for domain names that contain "special characters" the query seems incorrect even if those are in the database for instance :
name = undaben.de : Element exists : 100 undaben.de
name = ®here.com : Element ®here.com is not found.
name = §travel.us : Element §travel.us is not found.
Extract of the table :
+-----+--------------+
| id | domainname |
+-----+--------------+
| 100 | undaben.de |
| 162 | §travel.us |
| 197 | ®here.com |
+-----+--------------+
The collation of the field domainname is utf8_unicode_ci.
So how can I pass to mysql_query all domain names including the "special" ones ?
I recommend you to avoid the C API unless you have a compelling reason to use it. The C++ API es way more usable.
You are embedding your arguments within your query string. This has a number of problems, including security risks. If you insist in this approach, in order to prevent problems with parameters messing with your query, you need to ensure a few things:
Make sure that your data encoding matches the encoding of the MySQL Client connection (this may be different from your database encoding). If your connection is set up as UTF-8, then you need to make sure that special characters such as © are encoded also in UTF-8 when used as input to the sprintf function.
You also need to protect from other SQL escape characters (like '). For this you can use the mysql_real_escape_string function, as mentioned in Efficiently escaping quotes in C before passing to mysql_query.
However, you should very likely be using prepared statements which circumvent these issues. You still need to make sure that your input data encoding matches the encoding of your client connection, but everything else shall be easier to handle.
I paste an example of a parameterized query using the C API with prepared statements looks like (example from http://lgallardo.com/2011/06/23/sentencias-preparadas-de-mysql-en-c-ejemplo-completo/). Note the example is for integers, not strings, you need to adapt to your use case.
sql = "select count(*) from addresses where id = ?";
// Open Database
openDB(&conn);
// Allocate statement handler
stmt = mysql_stmt_init(conn);
if (stmt == NULL) {
print_error(conn, "Could not initialize statement handler");
return;
}
// Prepare the statement
if (mysql_stmt_prepare(stmt, sql, strlen(sql)) != 0) {
print_stmt_error(stmt, "Could not prepare statement");
return;
}
// Initialize the result column structures
memset (param, 0, sizeof (param)); /* zero the structures */
memset (result, 0, sizeof (result)); /* zero the structures */
// Init param structure
// Select
param[0].buffer_type = MYSQL_TYPE_LONG;
param[0].buffer = (void *) &myId;
param[0].is_unsigned = 0;
param[0].is_null = 0;
param[0].length = 0;
// Result
result[0].buffer_type = MYSQL_TYPE_LONG;
result[0].buffer = (void *) &myNumAddresses;
result[0].is_unsigned = 0;
result[0].is_null = &is_null[0];
result[0].length = 0;
// Bind param structure to statement
if (mysql_stmt_bind_param(stmt, param) != 0) {
print_stmt_error(stmt, "Could not bind parameters");
return;
}
// Bind result
if (mysql_stmt_bind_result(stmt, result) != 0) {
print_stmt_error(stmt, "Could not bind results");
return;
}
// Set bind parameters
myId = id;
// Execute!!
if (mysql_stmt_execute(stmt) != 0) {
print_stmt_error(stmt, "Could not execute statement");
return;
}
if (mysql_stmt_store_result(stmt) != 0) {
print_stmt_error(stmt, "Could not buffer result set");
return;
}
// Init data
(*numAddresses) = 0;
// Fetch
if(mysql_stmt_fetch (stmt) == 0){
(*numAddresses) = myNumAddresses;
}
// Deallocate result set
mysql_stmt_free_result(stmt); /* deallocate result set */
// Close the statement
mysql_stmt_close(stmt);
// Close Database
closeDB(conn);
Again, if you can use some other client library (like the C++ client) your code will be way shorter and readable.
My bad, as #jjmontes mentioned it seems that the sent string was encoded in 'latin1'.
Using the function mysql_set_character_set(conn, "utf8") before doing the query solved this problem.
Now, I will try to use prepared statements instead of query strings.
thanks again!
Related
I am using Connector C to connect to my MySQL database. A modification that I have made to the database recently now allows the data in my url field to be NULL. Connector C does not appear to have any problems reading the NULL value, but when I try and pass the value to my array structure using strcpy, the program crashes. Here is a simplified version of my code:
mysql_real_connect(conn, server,user,password,database, port, NULL, 0);
mysql_query(conn, "SELECT * FROM main WHERE propType IN ('Single Family', 'Condominium')");
res = mysql_use_result(conn);
while (((row = mysql_fetch_row(res)) != NULL) && (row[0] != NULL)) {
props[count].uniqueID = atol(row[0]);
strcpy(props[count].address, row[1]);
.
.
.
strcpy(props[count].url, row[55]);
count++;
}
By tracing out output of the rows, I have determined that it is this line of code that is failing, and it is ONLY failing when row[55] is (null):
strcpy(props[count].url, row[55]);
I am fairly new to C, and I assume that the problem lies in trying to use strcpy with a null string.
Any suggestions?
As is suggested above in the comment the problem is that row[55] has the value NULL and so strcpy() will crash. Maybe you want to try the following:
if (row[55] != NULL)
strcpy(props[count].url, row[55]);
else
props[count].url[0] = '\0';
Here is another example code which use a bit to store if the database contains NULL or a empty value:
if (row[55] != NULL)
{
strcpy(props[count].url, row[55]);
props[count].urlEmpty = false;
}
else
{
props[count].url = '\0'; // Maybe you can skip this
props[count].urlEmpty = true;
}
In this case you need to expand your structure.
I'm a beginner in C and mysql programing.For some days now I am trying to write float and integer values that i get from sensors to a database in mySQL.So far i'm just getting an error "too many arguments to function ‘mysql_query’" and " expected ‘const char *’".Below is my simple code.
int main()
{
int var1 = 1;
float var2 = 5.1;
MYSQL *conn;
MYSQL_RES *res;
MYSQL_ROW row;
conn = mysql_init(NULL);
if (!mysql_real_connect(conn, host, user, pass, dbname,port, unix_socket, flag))
{
fprintf(stderr, "\nError: %s [%d]\n",mysql_error(conn),mysql_errno(conn));
exit(1);
}
printf("Connection successful!\n");
mysql_query(conn,"INSERT INTO variables (var1) VALUE ('%d');",var1);
mysql_query(conn, mysql_query );
}
It's a nice idea, but mysql_query doesn't work with variable arguments.
You need to store the query in a buffer:
char buff[1024];
snprintf(buff, sizeof buff, "INSERT INTO variables (var1) VALUES ('%d');",var1);
and then you can call mysql_query with this buffer:
mysql_query(conn, buff);
EDIT:
As pointed out by #PaulOgilvie: Notice VALUES instead of VALUE in the query.
You should use a prepared statement, which would also take care of the types and all that (assuming conn is a valid connection object)
MYSQL_STMT *stmt;
MYSQL_BIND params[1];
const char *query;
// This is necessary or the program will crash
memset(params, 0, sizeof(params));
query = "INSERT INTO variables (var1) VALUES (?)";
stmt = mysql_stmt_init(conn);
params[0].buffer = &var1;
params[0].buffer_type = MYSQL_TYPE_LONG;
if (stmt == NULL)
exit(1); // Ideally handle the error and solve the problem
// but for simplicity ...
if (mysql_stmt_prepare(stmt, query, strlen(query)) != 0)
exit(1);
if (mysql_stmt_bind_param(stmt, params) != 0)
exit(1);
if (mysql_stmt_execute(stmt) != 0) {
// Ideally print mysql's error
fprintf(stderr, "an error occurred\n");
}
mysql_stmt_close(stmt);
This is the good safe way to do this, and also you can reuse the prepared statement as many times as you want and they promise it will be faster and more efficient because the query is prepared so the execution plan is known and you don't need to use the snprintf() which by the way should be checked for errors and also, you should check if the query did fit into the target array, read the documentation for that.
Also, you don't need to worry about escaping strings or anything. It will all be handled transparently for you. As long as you use the correct type and of course, specify the length of strings.
Note that you can bind parameters and results too in SELECT queries.
Are you sure you don't need "VALUES" here instead of "VALUE":
mysql_query(conn,"INSERT INTO variables (var1) VALUE ('%d');",var1);
I need to refill some lines of a table in mysql, and I'm using the C API. The table has 2 columns titled "VARIABLE" and "VALUE", and 4 lines with the names and values of 4 variables.
I can refill any value, for example the value of VAR1, by the code:
if(mysql_query(conn, "REPLACE INTO TAULA_DADES SET VARIABLE='VAR1',VALOR=3")){
finish_with_error(conn);
}
However, I don't know how to put the value of a C variable in the field, for example:
int a;
Something like this should work (not tested, just an example of possible approach):
MYSQL_STMT *stmt = mysql_stmt_init(conn);
char stmt_text[] = "REPLACE INTO TAULA_DADES SET VARIABLE=?,VALOR=?";
mysql_stmt_prepare(stmt, stmt_text, strlen(stmt_text));
/* Bind the data for the 2 parameters */
MYSQL_BIND bind[2];
memset(bind, 0, sizeof(bind));
/* First parameter */
char var1[16] = "VAR1";
unsigned long var1_len = strlen(var1);
bind[0].buffer_type = MYSQL_TYPE_STRING;
bind[0].buffer = var1;
bind[0].buffer_length = 16;
bind[0].is_null = 0;
bind[0].length = &var1_len;
/* Second parameter */
int a = 123;
bind[1].buffer_type = MYSQL_TYPE_LONG;
bind[1].buffer = (char *)&a;
bind[1].is_null = 0;
bind[1].length = 0;
mysql_stmt_bind_param(stmt, bind);
mysql_stmt_execute(stmt);
mysql_stmt_close(stmt);
In the real program you should check the return value of each statement adding the code for error management.
You can also pass variables via sprintf (e.g. take a look at How to pass variable in mysql_query) but it presents a higher security risk (at least consider the mysql_real_escape_string() function for user-supplied values).
Further details:
mysql_stmt_execute()
C API Prepared Statement Data Structures
HOW IT SHOULD WORK: User clicks on a listbox with multitude of IDs. Then, the edit controls are filed with the data from the specified ID (row).
HOW IT WORKS: It crashes at res->getString
case LBN_SELCHANGE:
{
string str;
int index = SendMessage(GetDlgItem(hwnd, IDC_lbList), LB_GETCURSEL, 0, 0);
string sint = boost::lexical_cast<std::string>(index);
string smt="SELECT client, telnr, atnrem, papatn, gedapr
FROM tremreg WHERE id = ";
string query = smt + sint;
res = stmt->executeQuery(query.c_str());
//starts crashing here
str = res->getString("client");
SetDlgItemText(hwnd, IDC_eClient, str.c_str());
str = res->getString("telnr");
SetDlgItemText(hwnd, IDC_eTelNr, str.c_str());
str = res->getString("antrem");
SetDlgItemText(hwnd, IDC_eRemAtn, str.c_str());
str = res->getString("paprem");
SetDlgItemText(hwnd, IDC_ePapAtn, str.c_str());
str = res->getString("gedapr");
SetDlgItemText(hwnd, IDC_eGedApr, str.c_str());
delete res;
delete stmt;
}
break;
CRASH INFO:
Unhandled exception at 0x753C812F in Registracija.exe:
Microsoft C++ exception:sql::InvalidArgumentException at memory location 0x0018F7AC.
Digging around google I found somebody mentioning that VARCHAR type values should be fetched with getBlob. That did not help at all though, and crashed just the same. getInt works however, and is used in other parts of the program.
QUESTION: What steps should I take to make it work?
does the same query run properly if you do it in the database directly? Also, are all the returned fields really Strings? And is it valid to call them by name, rather than by the sequence number? I.e. getString(1), etc.
I can't assign the result of query to variable (the program is written in C). Here is what I do
char buffer[100];
while ((row = mysql_fetch_row(res)) != NULL) {
buffer = row[0];
}
A get this error during compile process
error: incompatible types in assignment
What is wrong here ?
Assuming it's a string? C doesn't have strings it has arrays of characters. So you have copy the characters from one array to another.
so use a copy function like
strncpy(buffer, row[0], 100);