ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Insert Char into String - I "Hit the Wall" ...again.

<< < (2/2)

mwb1100:
Dynamic buffer allocation is one of those things I never have figured out so resizing on the fly might take a while (Suggestions I'm open for...).
-Stoic Joker (August 27, 2008, 03:00 PM)
--- End quote ---

If you're using C++ I'd strongly consider using the string class (or the similar, but different, MFC/ATL CString class).  Even if you don't use any other aspect of C++ having those classes deal with the buffer management of the string data is an immense help.  And since the classes provide an easy way to get a null terminated, C-style string (using the c_str() method with std::string - don't remember what it is in the CString class) it's easy to have the strings interact with most Win32 and other C-oriented APIs. 

The only time it becomes a problem is when the API wants a buffer that it's going to copy a string into.  Or returns a pointer to a string that you then have to free using some other API function.  For those situations I'll often write a small wrapper that allocates the buffer (and frees it when done), calls the API then packages the result in a string object that gets returned by the wrapper.  There may be an extra heap allocation and a string copy in there, but I think the resulting ease and safety of use is worth it in almost all cases.

f0dder:
Dude, you're passing a "char *string" to your function. Go redesign the code now. Either you pass a std::string (or std::wstring), or you pass along a buffer-length argument... and make sure to check for it.

Also, instead of trying to sanitize strings for use with SQL queries, have a look at bound arguments - much safer.

Stoic Joker:
Also, instead of trying to sanitize strings for use with SQL queries, have a look at bound arguments - much safer.
-f0dder (August 27, 2008, 05:59 PM)
--- End quote ---

"bound arguments"? -(never heard of them)- Where is it I would start looking at/for these?


edit by jgpaiva: fixed quote tag

f0dder:
I'm afraid you need to go slightly SQL server specific to do bound arguments, but that can obviously be abstracted away so you don't tie yourself down to just one SQL Server. The idea is that instead of inserting quoted strings (and being vulnerable to SQL injection), you refer to your strings symbolically in the SQL statements, and bind your actualy strings (or other data types) using the API your SQL library. Much safer.

I'm heading off for bed, so I'm afraid I don't have any links handy :)

Navigation

[0] Message Index

[*] Previous page

Go to full version