std::string concat

When working with the std::string library, is there any way to concantate several string and/or char* objects into one.  For example, I want to create an SQL statement.  Is there a better way than:

std::string sql;

sql = "SELECT * FROM USERS WHERE USERNAME='";
sql += userName;
sql += "' AND PASSWORD='";
sql += password;
sql += "'";
LVL 5
dirtdartAsked:
Who is Participating?
 
jkrConnect With a Mentor Commented:
You could use a 'std::stringstream':

#include <sstream>

std::stringstream ss;
std::string sql;

ss << "SELECT * FROM USERS WHERE USERNAME='" << userName << "' AND PASSWORD='" << password << "'";

sql = ss.str();


0
 
AxterCommented:
Anther method:

sql = std::string("SELECT * FROM USERS WHERE USERNAME='") + std::string(userName) + std::string("' AND PASSWORD='") + std::string(password) + std::string("'");

0
 
oleberCommented:
After having allot of problems like that I did a child class like. Gives some work at beginning but you will be winning time in the end.

//  header file
SuperString: public std::string
{
public:
  static const int MAX_BUFFER_SIZE;
  SuperString Format(const char* format, ...);
  ...
}

// source file
const int SuperString::MAX_BUFFER_SIZE = 1024;
SuperString::Format(const char* format, ...)
{
  va_list ap;
  va_start(ap, format);
  char strBuffer[MAX_BUFFER_SIZE];
  vsprintf(strBuffer, format, ap);
  va_end(ap);
  return strBuffer;
}

// use file
SuperString sql = SuperString.Format("SELECT * FROM USERS WHERE USERNAME='%s' AND PASSWORD='%s', userName.c_str(), password.c_str());
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
fl0ydCommented:
oleber,
    the idea is good and so is the intention. The result, however, is bad. vsprintf is potentially unsafe -- it can be used to break into an otherwise safe system through a stack overflow. Neither std::string nor std::stringstream suffer from this negative effect. Personally, I'd suggest jkr's approach for two reasons: it's safe and it's clean.
0
 
oleberCommented:
Sure there can be a problem, thats why I have a MAX_BUFFER_SIZE constant. If you sink that 1024 is to small you can set a bigger value.



talking about safty.

DIRTDART are you having care with the values caming for the variables login and password.

let's think about having userName="'; DELETE USERS; SELECT * FROM USERS WHERE USERNAME='" you are not the first to have that problem. I'm not saying that you have that problem.

0
 
fl0ydCommented:
oleber,
    setting the max buffer size to a value isn't going to prevent vsprintf to write over the boundary. You could use vsnprintf, but that's not a standard function :(
0
 
dirtdartAuthor Commented:
oleber:  I have toyed with the idea of creating a string class like you show, but although the idea is good, overall it somewhat defeats some of my purposes.  Mainly, attempting to stay away from character arrays wherever possible.  After the snafus with Microsoft code over the past year or so, the idea of buffer overflow is at the forefront of my mind.  As to the issue of rogue SQL, yes I am aware of it and need to determine the best route to deal with it.  In this case, I don't think it will matter because if I ended up with "SELECT * FROM DELETE USERS..." it wouldn't give anything but an error.

Although Axter and jkr both had good, workable solutions, I believe asthetically I like jkr's better.  All thoses casts just make the code harder to read.

Thanks everyone for your suggestions.
0
 
IainHereCommented:
FYI they aren't casts in Axter's method, they're constructors.  So you're concatenating a load of temporary strings.
0
 
dirtdartAuthor Commented:
Ok, I can see that.  I just wasn't taking enough time to look at it.  Wouldn't that take a lot of extra time/memory to construct each of those temp strings, combine them all together and then destroy them?
0
 
AxterCommented:
>>Ok, I can see that.  I just wasn't taking enough time to
>>look at it.  Wouldn't that take a lot of extra
>>time/memory to construct each of those temp strings,
>>combine them all together and then destroy them?

Depends what you're comparing it to.
It doesn't take that much time if you compare it to the stringstream method.
In most implementations, the temp string method will out perform the stringstream method.
0
 
dirtdartAuthor Commented:
hmmm.  Seems like everything about C++ and STL works exactly backward to the way it looks like it should.  I need a book, or two, or three about this.  I've probably got my code so screwed up by now that it will never perform.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.