Use SQL statement with ADODB.Recordset in VC++

RE: Use SQL statement with ADODB.Recordset in VC++

The short answer is that you'll need to build up the SQL string and then pass it to recordset->Open. The longer answer is that if you plan to give this code to others to use, you'll need to sanitize the input that you recieved from the user first to prevent serious security problems on the server, and to prevent users from hurting themselves accidentally. (Try googling "SQL injection attack" if you need to be convinced that this can be a very serious problem.) :-

So, the short answer: If you are new to C in general, manipulating strings can be a little more difficult than in most other languages, and there are a lot of tricky parts to handling that as well. There are easier functions to use, but my favorite is StringCbPrintf because it is not strickened by most of the problems that the others are. In this example, you would probably want to do something like

CHAR szCommand[256]
if(FAILED(Strin gCbPrintf(szCom mand, sizeof(szComman d), "INSERT INTO other_info(card _id) VALUES (%s)", m_editbox1))
return -1; //if the command failed, you'll need to display an error or something and qui
recordset->Open(szCommand )

Take a look at the docs for the "safe" string functions at http://msdn.microsoft.com/library/en...es/strings.asp for more detailed information

The longer answer: This code will not work if the user were to enter something malformed. For example, if a used entered "5) exec xp_cmdshell 'format b:' --" into the edit box, the SQL string would become: "INSERT INTO other_info(card _id) VALUES (5) exec xp_cmdshell 'format b:' --)" which would format the b drive (if one existed, that is)! Preventing that is a much more challenging problem! The process of removing the problem characters from user input is called "sanitizing " the input, which is exactly what you'd need to do for this example to be safe for your end users. Luckily, in your example, the value you get from the user is an integer. In that case, you can convert the value in the edit box to an int using atoi() or a similar function, and then change the "%s" to a "%u" in the example code above to prevent the problem. Be aware though, that when you do use strings, you are opening the machine wide open to running arbitrary sql commands on the server. Here's the "safer" way

CHAR szCommand[256]
int i = atoi(m_editbox1 )
if(FAILED(Strin gCbPrintf(szCom mand, sizeof(szComman d), "INSERT INTO other_info(card _id) VALUES (%u)", i))
return -1; //if the command failed, you'll need to display an error or something and qui
recordset->Open(szCommand )

I hope that helps. It's also a good idea to be thinking more about SQL injections, even if you aren't concerned with them right now

-Aaro
Please post questions to the newsgroup - everyone benefits
This post is provided "AS IS" with no warranties, and confers no right
Sample code subject to http://www.microsoft.com/info/cpyright.ht