I want to make query like this one:
SELECT lyrics FROM cache WHERE author=%s0, title=%s1 LIMIT 1;
where strings %s0 and %s1 should be substituted. Assuming strings are not sanitized, UTF-8 encoded (As database itself), simple null-terminated char* arrays. What are my options to do this? Are there any built-in functions in SQLite (C API) for this?
Like mentioned in comments already prepared statements should be used.
Why Prepared Statements Should Be Favoured
When you create SQL queries yourself as a string, they almost always contain parts of a user's input. An attacker can take advantage of this by, for example, cleverly changing the semantics of the query using ' and thus gaining unauthorized access to data or destroying data.
This is called SQL injection and is one of the top most critical security risks, see here:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Defense
The use of prepared statements with variable binding (aka parameterized queries) is how all developers should first be taught how to write database queries.
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#defense-option-1-prepared-statements-with-parameterized-queries
How to use prepared statements with SQLite
For prepared statements see https://www.sqlite.org/c3ref/stmt.html.
Basic steps are:
create the prepared statement
bind values to parameters
run the SQL
destroy the object to avoid resource leaks
Example
#include <stdio.h>
#include <stdlib.h>
#include "sqlite3.h"
void exit_with_error(sqlite3 *db, const char * msg) {
fprintf(stderr, "%s: %s\n", msg, sqlite3_errmsg(db));
sqlite3_close(db);
exit(1);
}
int main() {
sqlite3 *db;
sqlite3_stmt *stmt;
int rc = sqlite3_open("path-to-lyrics", &db);
if (rc != SQLITE_OK)
exit_with_error(db, "can't open db: ");
//create prepared statement
rc = sqlite3_prepare_v2(db, "SELECT lyrics FROM cache WHERE author=?1 AND title=?2 LIMIT 1;", -1, &stmt, 0);
if (rc != SQLITE_OK)
exit_with_error(db, "failure fetching data: ");
//bind values to parameters
sqlite3_bind_text(stmt, 1, "Don Brownrigg", -1, SQLITE_STATIC);
sqlite3_bind_text(stmt, 2, "Just Breathe", -1, SQLITE_STATIC);
//run the SQL
rc = sqlite3_step(stmt);
if (rc == SQLITE_ROW) {
printf("%s\n", sqlite3_column_text(stmt, 0));
}
//destroy the object to avoid resource leaks
sqlite3_finalize(stmt);
sqlite3_close(db);
return 0;
}
Build
With CMake it could look like this:
cmake_minimum_required(VERSION 3.14)
project(sqlitequery C)
set(CMAKE_C_STANDARD 99)
add_executable(sqlitequery main.c)
target_link_libraries (sqlitequery sqlite3)
On command line one could build with something like:
gcc -Wall -Wextra main.c -lsqlite3 -o sqlitequery
Related
I'm trying to link sqlite3 library to CMakeList in Clion using the following code:
find_package(SQLite3)
target_link_libraries(IIWProject SQLite::SQLite3)
Library has been loaded but when i Run the code, Clion shows the following error:
SQL logic error
The database has been loaded but when sqlite3_prepare_v2(db, query, -1, &stmt, NULL) was called return SQL logic error
void get_db(sqlite3 **db){
int rc;
if ((rc = sqlite3_open("db_project.db", db)) != SQLITE_OK){
//fprintf(stderr, "Failed to open DB.\n");
fprintf(stderr,"Failed to open DB: %s\n\r", sqlite3_errstr(rc));
exit(EXIT_FAILURE);
}
}
int clear_table(sqlite3 *db){
sqlite3_stmt *stmt;
int rc;
char* query = "DELETE FROM resources";
if ((rc=sqlite3_prepare_v2(db, query, -1, &stmt, NULL)) != SQLITE_OK){
fprintf(stderr,"Failed to prepare statement: %s\n\r", sqlite3_errstr(rc));
return 1;
}
if ((rc = sqlite3_step(stmt)) != SQLITE_DONE){
fprintf(stderr,"Delete failed: %s\n\r", sqlite3_errstr(rc));
return 1;
}
return 0;
}
How can I try to fix it?
EDIT:
If I compile, without Clion manually, with gcc -lsqlite3,it work
Now that we've established that the table doesn't exist when you run your program though your IDE...
The current working directory when you run your program through a command line is different than the current working directory your IDE runs it in. Since you're using a relative path to the database file, this means you're using a different one depending on how you run your program. Only one of the databases actually has the table(s) you're trying to use.
Some solutions:
Use an absolute path to the database.
Configure your IDE to use the same working directory as when you're running your program through a command line.
I know there have been questions asked before about this problem but none seem to shine a light on my problem which is, I am trying to compile a C application and want to access SQLite from within the code (as per test app below) using Eclips as a compile and debugging environment.
I know the .h files are being accessed. the code has as many lines commented out to do with iostream as I have tried to compile this as a C++ app as well.
I get errors one for each of 2 the SQL API.
The real question is do I have to set and How do I set a dependency in Eclipse to allow the api to resolve. Thanks
the code
#include <sqlite3.h>
int main()
{
int RetVal;
RetVal = OpenDB();
return RetVal;
}
int OpenDB()
{
sqlite3 *db; // database connection
int rc; // return code
char *errmsg; // pointer to an error string
/*
* open SQLite database file test.db
* use ":memory:" to use an in-memory database
*/
rc = sqlite3_open(":memory:", &db); //fails on this line
if (rc != SQLITE_OK)
{
goto out;
}
/* use the database... */
out:
/*
* close SQLite database
*/
sqlite3_close(db); //fails on this line
return 0;
}
You need to link the sqlite3 library along with your program:
gcc main.c -lsqlite3
I'm using SQLite 3 in a C application of mine. It has worked like a charm up until now, when I've started to write unit tests. The function in question is a pretty small. It opens an in-memory database, prepares a statement and then does some stuff with it. Problem is that the app crashes with a segmentation fault at the sqlite3_prepare_v2 function call. I've tried to debug it and check to see that all arguments are valid, which they seem to be.
Below, I've pasted a minimal example which causes segfault in the same way. The backtrace lists sqlite3LockAndPrepare as the function where it crashes (called by sqlite3_prepare_v2).
As I mentioned above, I use SQLite without any problems in the rest of my app. I just can't figure out what the difference in usage is, since it's split up in several different routines which also does other stuff. The one thing I can spot is the use of an in-memory database instead of on-disk, but I tried with it on disk, and it made no difference.
#include <stdlib.h>
#include <stdio.h>
#include <sqlite3.h>
int main(void)
{
sqlite3 *db;
sqlite3_stmt **stmt;
const char *str = "CREATE TABLE Test (t1 varchar(8) NOT NULL);";
if (SQLITE_OK != sqlite3_open(":memory:", &db)) {
printf("Can't open...\n");
return 1;
}
sqlite3_prepare_v2(db, str, -1, stmt, NULL);
return 0;
}
The fourth argument to sqlite3_prepare_v2() is supposed to be a valid pointer to an sqlite3_stmt *. You are instead passing an undefined value (since your variable stmt is never initialized). (Note, too, that even if that did not crash the program, you could not receive a pointer to the prepared statement that way.)
You should do this, instead:
int main(void)
{
sqlite3 *db;
sqlite3_stmt *stmt;
const char *str = "CREATE TABLE Test (t1 varchar(8) NOT NULL);";
/* ... create database ... */
sqlite3_prepare_v2(db, str, -1, &stmt, NULL);
return 0;
}
I'm having memory management related crashes when using SQLite. It only crashes once every 30 or so tries unless I enable Guard Malloc (a test mode) in Xcode, in which case it crashes the second time I prepare a statement, 100% of the time. I think it has to do with how I'm opening or using the database, but I can't find anything wrong, BUT I'm a newbie with SQLite. Is there anything I'm forgetting?
Wrapper function for opening:
int databaseConnect(sqlite3 **db){
int rc = sqlite3_open_v2(dbURL, db, SQLITE_OPEN_READWRITE, NULL);
if(rc!=SQLITE_OK){
fprintf(stderr, "Can't open database! Error: %s\n", sqlite3_errmsg(*db));
sqlite3_close_v2(*db);
return(SQL_ERROR);
}
return NO_ERROR;
}
Wrapper function for sending commands:
int databaseCommand(char* command, sqlite3* db){
char* error = NULL;
int ret = sqlite3_exec(db, command, NULL, 0, &error);
if (ret!=SQLITE_OK){
printf("SQL command aborted. Error: %s\n", error);
return SQL_ERROR; //EDIT: this will cause the database to close later
}
if (error) sqlite3_free(error);
return NO_ERROR;
}
How I use my opening function:
//ONCE IN MAIN THREAD, BEFORE ANY OTHER THREADS:
sqlite3* db = NULL;
databaseConnect(&db);
//call databaseCommmand a few times while creating tables...
sqlite3_close_v2(db);
//ONCE PER THREAD IN OTHER THREADS:
sqlite3* db = NULL; databaseConnect(&db);
How I use sqlite3_prepare_v2 in my non-main threads (and where it crashes):
struct LinkedList* databaseSelect(char* command, sqlite3* db){
sqlite3_stmt* stmt = NULL;
int retval = retval = sqlite3_prepare_v2(db,command,(strlen(command))*sizeof(char),&stmt,NULL); //crashes here the second time I run it
if(retval!=SQLITE_OK){
printf("Selecting data from database failed! Error: %s\n", sqlite3_errmsg(db));
sqlite3_free(stmt);
return NULL; //EDIT: this will cause the database to close later
}
// Then the function does stuff involving sqlite3_column_text and sqlite3_column_int…
sqlite3_free(stmt);
// return the linked list result
}
The error I get and the part of the SQLite3 library that causes it:
EXC_BAD_ACCESS (code=1) in this part of sqlite3.c:
/*
** Create a new virtual database engine.
*/
SQLITE_PRIVATE Vdbe *sqlite3VdbeCreate(sqlite3 *db){
Vdbe *p;
p = sqlite3DbMallocZero(db, sizeof(Vdbe) );
if( p==0 ) return 0;
p->db = db;
if( db->pVdbe ){
db->pVdbe->pPrev = p; //error is right here; db->pVdbe is pointing to invalid address
}
p->pNext = db->pVdbe;
p->pPrev = 0;
db->pVdbe = p;
p->magic = VDBE_MAGIC_INIT;
return p;
}
Whenever I use sqlite3_column_text, I copy the result immediately. I do not modify the result. In databaseCommand and databaseSelect, char* command is null-terminated and valid (I checked). Each thread uses its own database handle, each connected to the same database. However, in this test case, there is only one thread connected to the database at any given time.
If there really is nothing wrong here, I have to assume that I trampled the memory elsewhere in my program, and I can't find anything in the rest of the program that even looks a bit dangerous. Plus it's suspicious that SQLite is the one thing crashing every time.
The sqlite3_prepare_v2 documentation says:
The calling procedure is responsible for deleting the compiled SQL statement using sqlite3_finalize() after it has finished with it.
sqlite3_free() can be used only for raw memory allocated with sqlite3_alloc(), or when a function such as sqlite3_exec() is documented as requiring it.
Since you are using multiple threads operating on same database just make sure you close and reopen the database from these thread after every operation. You should also try not to neglect the error condition and add the close statement there also as shown below.
if(retval!=SQLITE_OK){
printf("Selecting data from database failed! Error: %s\n", sqlite3_errmsg(db));
sqlite3_free(stmt);
sqlite3_close(your_db_ptr);
......
}
sqlite3_prepare_v2() alone just compiles the SQL but does not run it. Call sqlite3_step() on the compiled statement to run it, or use sqlite3_exec() that combines prepare+step+finalize into one function call. From here.
Hope this helps.
I'm trying to connect to a MariaDB database in a C script and I can't find the necessary documentation. I installed libmariadbclient-dev, but I couldn't find any accompanying documentation such as a man page. There's a basic description and limited documentation here, but the documentation only includes descriptions of functions. The fact is, despite having scoured all sorts of Google results, I don't even know what to import to get this to work, much less how to use it. Is there any guide or documentation on how to use a MariaDB database in C?
The MariaDB Client Library for C has exactly the same API as the MySQL
Connector/C for MySQL 5.5
Here it is: http://dev.mysql.com/doc/refman/5.5/en/c-api-function-overview.html
Another one:
http://zetcode.com/db/mysqlc/
You can compile a minimal test like
#include <my_global.h>
#include <mysql.h>
int main(int argc, char **argv)
{
MYSQL *con = mysql_init(NULL);
if (con == NULL)
{
fprintf(stderr, "%s\n", mysql_error(con));
exit(1);
}
if (mysql_real_connect(con, "localhost", "root", "root_pswd",
NULL, 0, NULL, 0) == NULL)
{
fprintf(stderr, "%s\n", mysql_error(con));
mysql_close(con);
exit(1);
}
if (mysql_query(con, "CREATE DATABASE testdb"))
{
fprintf(stderr, "%s\n", mysql_error(con));
mysql_close(con);
exit(1);
}
mysql_close(con);
exit(0);
}
using
gcc -o mysql-test mysql-test.c $(mysql_config --libs)