Printable View
Personally, I'd use sprintf() or, if using VC, CString::Format() to build the sql request, but I prefer C-style coding over std containers for the most part (that's the way I learned):
Code:int itemnumber=101;
char sqlbuf[100]; //make it big enough to hold your entire statement
sprintf(buf,"SELECT * FROM USERTABLE WHERE itemnumber='%d' AND loginpw='%s' ORDER BY loginid",itemnumber,"MyPassword");
if(!db.Execute(sqlbuf,tbl)){
//...
}
You should use one or the other approach. Mixing them up just tends to cause confusion. Right now, you're using a combination of strcpy() and std::string fairly intermingled, which I'd consider bad form. Also, don't over-use the c_str() method; it isn't needed for cout or for std::string concatenation, or for pretty much anything else except functions requiring a const char* explicitly.
Do you have a check if you have exceeded 200 characters? If you don't then this is deemed a vulnerability in your program, as buffer overflow can occur.Quote:
Originally Posted by digoxy
That's why std::string is safer.
Just fix the compiler errors. If all the problem is just quotes, it takes a few seconds to fix them.Quote:
If you see anything here that might be of use to change it up a bit, I dont mind playing with it. I have it in the script just commented now so I can ding around with it! :)
As to char*, the following should be safer:
Regards,Code:#include <string>
#include <vector>
//...
std::string str = "select * from usertable where loginid='";
str += logidin + "' and loginpw ='" + logidin + "' order by loginid";
std::vector<char> tempV(str.begin(), str.end());
tempV.push_back(0);
if(!db.Execute(&tempV[0], tbl))
{ }
Paul McKenzie
^I'm not sure that doing that would properly null-terminate the string. You may need to push_back a 0 at the end. Actually, it would be good to know either way for certain.
Yes, it wouldn't hurt to push_back a 0 onto that.Quote:
Originally Posted by Lindley
Regards,
Paul McKenzie