替换字符串中的一些字符
[英]Replacing some chars in a string
问题描述
If I have a variable like: 
如果我有一个像这样的变量:
char *sql;
sql = "insert into Norm1Tab values (?,?,?,?,?,?)";
I would like to replace each ? 我想更换每个? by values that are stored in other char or char* variables. 通过存储在其他char或char*变量中的值。 How I can do that in C++ ? 我如何在C ++中做到这一点?
4 个解决方案
解决方案1
8 2011-10-07 14:39:38
In C++ don't use char* C-style strings. 在C ++中,请勿使用char* C样式的字符串。 If you use std::string you can use find and replace to do what you want. 如果使用std::string ,则可以使用find和replace来完成所需的操作。
But please don't do that. 但是请不要那样做。 You'll just open yourself up to a million SQL injection attacks. 您只需要向自己开放一百万次SQL注入攻击即可。 Use prepared statements with bound parameters instead. 请使用带有绑定参数的预备语句。
解决方案2
1 已采纳 2011-10-07 14:51:13
If you are using sqlite (sure looks like it), you do not have to do the string replaces yourself. 如果您使用的是sqlite(肯定看起来像),则不必用字符串替换自己。 Use sqlite3_bind_* instead. 请改用sqlite3_bind_* 。
There are a lot of benefits from using the APIs from your database provider, so you really shouldn't avoid them if you can help it. 使用数据库提供商提供的API有很多好处,因此,如果可以帮助您,那么您就不应该避免使用它们。 You'll have better type safety, better protection against injection, and way better performance. 您将拥有更好的类型安全性,更好的防注入保护以及更好的性能。
Otherwise, I would use boost::format for this. 否则,我将为此使用boost::format 。
std::string sql = "insert into Norm1Tab values ('%1%','%2%');";
boost::format fmt(sql);
std::string stmt = boost::str( fmt % param1 % param2 );
As mentioned by others, you'll need to clean your params to make sure there aren't any injection vulnerabilities. 正如其他人所提到的,您需要清理参数以确保没有任何注入漏洞。
If you don't, anything with special characters could break it. 如果您不这样做,则任何带有特殊字符的内容都可能破坏它。
char const* param1 = "Joe's House";
It would take some knowledge of the structure to destroy it. 需要一些结构知识才能摧毁它。 As soon as someone saw the error message from the Joe's House , they would probably know that they could do worse. 一旦有人看到来自Joe's House的错误消息,他们可能会知道他们会做得更糟。
char const* param1 = "'); DROP Norm1Tab; --";
If you do this consistently, it is only a matter of time before a smart person is going to have your full schema. 如果您始终如一地执行此操作,那么精明的人将拥有完整的架构只是时间问题。 With sqlite for instance, any injection on a query could get you all the information you needed to quietly modify your records in any way that they wanted. 例如,使用sqlite,对查询的任何注入都可以为您提供所需的所有信息,以便以他们想要的任何方式静默修改记录。
SELECT * FROM sqlite_master;
解决方案3
0 2011-10-07 14:41:04
You could put %s and use sprintf to populate the fields ... 您可以放入%s并使用sprintf填充字段...
However, for the problem at hand, you probably want a prepared statement ... 但是,对于眼前的问题,您可能需要准备好的声明...
解决方案4
0 2011-10-07 14:43:16
If you're adamant about doing it this way (as opposed to using the first comment by Matteo Italia), check the solution found here: 如果您坚持要这样做(而不是使用Matteo Italia的第一条评论),请查看以下解决方案:
How do I Search/Find and Replace in a standard string? 如何在标准字符串中搜索/查找和替换?
It's not quite what you need, but it shows how to can use .find() to get the location of the question mark and .replace to replace the question mark with the contents of your character buffers. 它并不是您所需要的,但是它显示了如何使用.find()获取问号的位置以及如何使用.replace替换您的字符缓冲区内容的问号。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.