我目前正在开发一个项目,我希望使用SQLite来存储一些数据。一切都运行良好,除非我想在表格中插入新数据。当我运行应用程序时,我得到分段错误,但我找不到问题。
void sqlite(char *id, char *sensorname, char *sensorvalue){
sqlite3 *db;
char *zErrMsg = 0;
int rc;
char *sql;
const char* data = "Callback function called";
/* Open database */
rc = sqlite3_open("/home/macho/Documents/sensor_database.db", &db);
if( rc ){
fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
exit(0);
}else{
fprintf(stderr, "Opened database successfully\n");
}
sql = "INSERT INTO sensors (id,sensorname,sensorvalue) VALUES(";
char* split = ",";
strcat(sql, id);
strcat(sql, ",");
strcat(sql, sensorname);
strcat(sql, ",");
strcat(sql, sensorvalue);
strcat(sql, ");");
rc = sqlite3_exec(db, sql, callback, (void*)data, &zErrMsg);
if( rc != SQLITE_OK ){
fprintf(stderr, "SQL error: %s\n", zErrMsg);
sqlite3_free(zErrMsg);
}else{
fprintf(stdout, "Operation done successfully\n");
}
sqlite3_close(db);
}
总的来说,我正在调用sqlite()函数:
sqlite("1","sensor","sensor1");
知道问题是什么吗?
谢谢!
答案 0 :(得分:3)
您为sql分配一个静态(只读)字符串,然后尝试附加到该字符串。相反,在堆栈上创建一个大型可写数组或使用malloc,然后在其中汇编查询。所以
char sql[4096];
strcpy(sql, "INSERT INTO sensors ...
...
请注意,您应该根据值的长度来检查缓冲区的溢出。
BTW,编写的代码只是要求用户可以访问SQL注入攻击。查看Bobby Tables。