Originally Posted by
Salem
But to be honest, if you can't find a relatively simple segfault, how are you going to defend SQL injection attacks?
This is for a university project and the requirements state we only need to have a program with basic interaction with a database, we wont be expected to guard against injection attacks. Saying that it will still have good string sanitation and validation.
Originally Posted by
laserlight
I am curious to know: why do you need the table name to be variable? After all, you only mentioned getting the user's name as input, so where does the table name come from? If you are going to use the user's name as the table name, then you're probably doing something wrong, e.g., you need to go back and think about normalisation.
If you really do need the table name to be variable, then you pretty much have to use sprintf after checking that the input is valid, but take care to quote the table name (with double quotes). The value to be inserted should be bound to a parameter within a prepared statement, not handled with sprintf.
Sorry I should not have put the table name in bold, this isn't for the user to change. The application is a basic address book, the only inputs they will be giving are for fields like FIRST_NAME etc.
This is what I'm trying to do more or less.
Code:
cont char *userstring = "test";
queries[ind++] = ("INSERT INTO table VALUES('%s','string',0)", userstring);
retval = sqlite3_exec(handle,queries[ind-1],0,0,0);
Error I get is: warning: assignment from incompatible pointer type
Thank you for your replies so far I appreciate it. Sorry if I haven't been clear I'm have trouble with C as I'm not really used to imperative programming.