C++

Forum

 
How to edit SQL statement with user input

May 11, 2022 at 8:02pm
domweng (43)
Hello,

I am currently needing to know for some work I am trying to do whether it is available to take some form of user input and use that in the SQL statement in my code.

For example, when I'm using something such as...
 
 
sql = "SELECT team_name FROM TEAM WHERE team_div = 'North West'"


Is there a way that I could possibly ask the user, "what division would you like to see the teams in?" And if the user for example, enters "North East," the sql would then be changed to...
 
 
sql = "SELECT team_name FROM TEAM WHERE team_div = 'North East'"

(or another division they want to see the teams in)
May 11, 2022 at 8:08pm
jonnin (11478)
yes, you can do that.
you just set up a list for them to pick from (if UI driven, a drop down box of choices, if text based, a list they can view and pick by number) and they pick it, you swap in the text you want.
there are different ways to do it, you can put a token in the string and replace it, or break the string up and put the pieces back together with + ops, etc.
May 11, 2022 at 8:55pm
kigar64551 (831)
Just be sure to never ever insert a user-provided input (string) directly into an SQL statement! 😱

This is because an SQL injection vulnerability would be the result:
https://en.wikipedia.org/wiki/SQL_injection

Instead, use a prepared statement whenever you need to parameterize an SQL statement:
https://en.wikipedia.org/wiki/Prepared_statement

Example with SQLite:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
void example(sqlite3 *const db, const char* input_text)
{
    // SQL statement ('?' is a placeholder)
    const char *sql = "SELECT team_name FROM TEAM WHERE team_div = ?";

    // Create prepared statement
    sqlite3_stmt *stmt;
    sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);

    // Bind placeholder to user input
    sqlite3_bind_text(stmt, 1, input_text); // <-- e.g. input_text = "North West"

    // Execute!
    sqlite3_step(stmt);

    // Clean up
    sqlite3_finalize(stmt);
}


(One could argue that if the string comes from a "drop down box" that is under you control, and there is no way for the user to enter a custom string, then it would be safe to use the given string directly in the SQL statement. But better safe than sorry! So, if a string is supplied by the user in any way, then that string should always be treated as an "untrusted" string. Therefore a prepared statement should always be used!)
Last edited on May 11, 2022 at 9:15pm
May 11, 2022 at 11:20pm
jonnin (11478)
and, if you are worried about untrusted users, use an account (your program's credentials) with the least possible access to get the job done: if they just need to read, then it gets read only access, no update/write/create etc. Then their damage is limited if they manage to do something stupid by design or accident.

it is not always hard to reverse engineer a program to hack the prepared statements -- the coder has to jump through a lot of hoops to prevent this... But if the program can't do anything destructive with its access level, the worst they can do is read extra info.
May 12, 2022 at 12:45am
mbozzi (3942)
Topic archived. No new replies allowed.