mysql - Preventing SQL Injection in C

Question

I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it.

Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such:

char *query;
asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);

If I am unable to do this, then I must need to filter the user input. How should this filtering be done? Is it enough to just remove all 's and "s? (Valid inputs cannot contain them). If so, what is the easiest way of doing this in C?

Answer 1

I believe that you want to use prepared statements and parameter binding. Do not directly interpolate user data into your queries. See the MySQL manual for info on this.