I am writing a C application that requires some user input and performs several database queries. I am well aware of the risks involved with implementing SQL, and I want to prevent this.
Ideally, I would use parameterized queries, but still could not find anything with this functionality in C. I am currently creating my queries as such:
char *query; asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);
If I cannot do this, I will need to filter out the user input. How to do this filtering? Is it enough to simply delete everything and "?" (Valid inputs cannot contain them). If so, what is the easiest way to do this in C?
source share