C ++变量作为mysql_query变量从GETTEXT获得

时间:2013-11-05 00:09:13

标签: c++ mysql winapi unicode

我正在尝试执行以下操作:

  1. 将用户名输入userField
  2. 使用用户名作为变量
  3. 进行SEARCH mysql_query

    由于mysql_query采用const char *作为查询字符串,我很难超越第2阶段,我只能获得用户名char *或wchar_t *

    我也在使用unicode进行编译。

    我现在的代码:

    void mysql_connect(HWND hLoginWnd) {
    
    MYSQL *con, mysql;
    MYSQL_RES *res;
    mysql_init(&mysql);
    
    mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, "utf8");
    
    mysql_real_connect(&mysql, "localhost", "root", "", "treenitaulu", 3306, NULL, 0);
    
    char name[512], pass[512];
    int lenUser = SendMessage(userField, WM_GETTEXT, 512, (LPARAM)name);
    int lenPass = SendMessage(passField, WM_GETTEXT, 512, (LPARAM)pass);
    
    if(lenUser > 0 && lenPass > 0) {
    
        std::string query = "SELECT pass FROM users WHERE name='" + std::string(name) + "'";
    
        mysql_query(&mysql, query.c_str());
    
    }
    
    }
    

    我该怎么办?

1 个答案:

答案 0 :(得分:1)

您正在将SQL字符集设置为UTF-8,因此使用WideCharToMultiByte()将已检索的UI Unicode字符串转换为UTF-8,然后将转换后的数据传递给数据库查询。可以使用char缓冲区存储UTF-8编码数据,您可以传递char*(或char[]),其中const char*是预期的。例如:

std::string Utf8Encode(WCHAR *wStr, int wLen)
{
    int utf8len = WideCharToMultiByte(CP_UTF8, 0, wStr, wLen, NULL, 0, NULL, NULL);
    if (utf8len > 0)
    {
        std::vector<char> utf8(utf8len);
        utf8len = WideCharToMultiByte(CP_UTF8, 0, wStr, wLen, &utf8[0], utf8len, NULL, NULL);
        if (utf8len > 0)
            return std::string(&utf8[0], utf8len);
    }
    return std::string();
}

void mysql_connect(HWND hLoginWnd)
{
    MYSQL *con, mysql;
    MYSQL_RES *res;
    mysql_init(&mysql);

    mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, "utf8");

    mysql_real_connect(&mysql, "localhost", "root", "", "treenitaulu", 3306, NULL, 0);

    WCHAR name[512];
    int lenUser = SendMessage(userField, WM_GETTEXTW, 512, (LPARAM)name);

    if (lenUser > 0)
    {
        std::string query = "SELECT pass FROM users WHERE name='" + Utf8Encode(name, lenUser) + "'";
        mysql_query(&mysql, query.c_str());
        ...
    }
}

说到这一点,你真的需要在动态构建SQL语句时转义字符串。它更安全,因为它不容易发生SQL注入攻击:

std::string Utf8EncodeAndEscape(MYSQL *mysql, WCHAR *wStr, int wLen)
{
    int utf8len = WideCharToMultiByte(CP_UTF8, 0, wStr, wLen, NULL, 0, NULL, NULL);
    if (utf8len > 0)
    {
        std::vector<char> utf8(utf8len);
        utf8len = WideCharToMultiByte(CP_UTF8, 0, wStr, wLen, &utf8[0], utf8len, NULL, NULL);
        if (utf8len > 0)
        {
            std::vector<char> escaped(utf8len*2+1);
            unsigned long escapedLen = mysql_real_escape_string(mysql, &escaped[0], &utf8[0], utf8len);
            if (escapedLen > 0)
                return std::string(&escaped[0], escapedLen);
        }
    }

    return std::string();
}

void mysql_connect(HWND hLoginWnd)
{
    MYSQL *con, mysql;
    MYSQL_RES *res;
    mysql_init(&mysql);

    mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, "utf8");

    mysql_real_connect(&mysql, "localhost", "root", "", "treenitaulu", 3306, NULL, 0);

    WCHAR name[512];
    int lenUser = SendMessage(userField, WM_GETTEXTW, 512, (LPARAM)name);

    if (lenUser > 0)
    {
        std::string query = "SELECT pass FROM users WHERE name='" + Utf8EncodeAndEscape(&mysql, name, lenUser) + "'";
        mysql_query(&mysql, query.c_str());
        ...
    }
}

参数化查询同样安全,但比动态SQL语句更有效,特别是如果您需要多次执行相同的语句:

std::wstring Utf8Decode(char *utf8Str, int utf8Len)
{
    int wlen = MultiByteToWideChar(CP_UTF8, 0, utf8Str, utf8Len, NULL, 0);
    if (wLen > 0)
    {
        std::vector<wchar_t> wStr(wLen);
        wLen = MultiByteToWideChar(CP_UTF8, 0, utf8Str, utf8Len, &wStr[0], wLen);
        if (wLen > 0)
            return std::wstring(&wStr[0], wLen);
    }
    return std::wstring();
}

MYSQL_STMT *stmt = mysql_stmt_init(&mysql);
if (stmt)
{    
    std::string query = "SELECT pass FROM users WHERE name=?"
    if (mysql_stmt_prepare(stmt, query.c_str(), query.length()) == 0)
    {
        if (mysql_stmt_param_count(stmt) == 1)
        {
            std::string utf8User = Utf8Encode(name, lenUser);
            unsigned long utf8len = utf8User.length();
            MYSQL_BIND param = {0};
            param.buffer_type = MYSQL_TYPE_STRING;
            param.buffer = utf8User.c_str();
            param.buffer_length = utf8len;
            param.length = &utf8len;
            param.is_unsigned = true;
            mysql_stmt_bind_param(stmt, &param);

            char result[512];
            unsigned long resultLen = 0;
            MYSQL_BIND result = {0};
            param.buffer_type = MYSQL_TYPE_STRING;
            param.buffer = &result[0];
            param.buffer_length = 512;
            param.length = &resultlen;
            param.is_unsigned = true;
            mysql_stmt_bind_result(stmt, &result);

            if (mysql_stmt_execute(stmt) == 0)
            {
                mysql_stmt_fetch(stmt);
                mysql_stmt_free_result(stmt); 

                SendMessage(passField, WM_SETTEXTW, 0, (LPARAM) Utf8Decode(result, resultLen).c_str());
            }
        }
    }
}

mysql_stmt_close(stmt);