Solved

std::string concat

Posted on 2002-07-29
11
842 Views
Last Modified: 2013-12-14
When working with the std::string library, is there any way to concantate several string and/or char* objects into one.  For example, I want to create an SQL statement.  Is there a better way than:

std::string sql;

sql = "SELECT * FROM USERS WHERE USERNAME='";
sql += userName;
sql += "' AND PASSWORD='";
sql += password;
sql += "'";
0
Comment
Question by:dirtdart
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 100 total points
Comment Utility
You could use a 'std::stringstream':

#include <sstream>

std::stringstream ss;
std::string sql;

ss << "SELECT * FROM USERS WHERE USERNAME='" << userName << "' AND PASSWORD='" << password << "'";

sql = ss.str();


0
 
LVL 30

Expert Comment

by:Axter
Comment Utility
Anther method:

sql = std::string("SELECT * FROM USERS WHERE USERNAME='") + std::string(userName) + std::string("' AND PASSWORD='") + std::string(password) + std::string("'");

0
 
LVL 10

Expert Comment

by:oleber
Comment Utility
After having allot of problems like that I did a child class like. Gives some work at beginning but you will be winning time in the end.

//  header file
SuperString: public std::string
{
public:
  static const int MAX_BUFFER_SIZE;
  SuperString Format(const char* format, ...);
  ...
}

// source file
const int SuperString::MAX_BUFFER_SIZE = 1024;
SuperString::Format(const char* format, ...)
{
  va_list ap;
  va_start(ap, format);
  char strBuffer[MAX_BUFFER_SIZE];
  vsprintf(strBuffer, format, ap);
  va_end(ap);
  return strBuffer;
}

// use file
SuperString sql = SuperString.Format("SELECT * FROM USERS WHERE USERNAME='%s' AND PASSWORD='%s', userName.c_str(), password.c_str());
0
 
LVL 8

Expert Comment

by:fl0yd
Comment Utility
oleber,
    the idea is good and so is the intention. The result, however, is bad. vsprintf is potentially unsafe -- it can be used to break into an otherwise safe system through a stack overflow. Neither std::string nor std::stringstream suffer from this negative effect. Personally, I'd suggest jkr's approach for two reasons: it's safe and it's clean.
0
 
LVL 10

Expert Comment

by:oleber
Comment Utility
Sure there can be a problem, thats why I have a MAX_BUFFER_SIZE constant. If you sink that 1024 is to small you can set a bigger value.



talking about safty.

DIRTDART are you having care with the values caming for the variables login and password.

let's think about having userName="'; DELETE USERS; SELECT * FROM USERS WHERE USERNAME='" you are not the first to have that problem. I'm not saying that you have that problem.

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 8

Expert Comment

by:fl0yd
Comment Utility
oleber,
    setting the max buffer size to a value isn't going to prevent vsprintf to write over the boundary. You could use vsnprintf, but that's not a standard function :(
0
 
LVL 5

Author Comment

by:dirtdart
Comment Utility
oleber:  I have toyed with the idea of creating a string class like you show, but although the idea is good, overall it somewhat defeats some of my purposes.  Mainly, attempting to stay away from character arrays wherever possible.  After the snafus with Microsoft code over the past year or so, the idea of buffer overflow is at the forefront of my mind.  As to the issue of rogue SQL, yes I am aware of it and need to determine the best route to deal with it.  In this case, I don't think it will matter because if I ended up with "SELECT * FROM DELETE USERS..." it wouldn't give anything but an error.

Although Axter and jkr both had good, workable solutions, I believe asthetically I like jkr's better.  All thoses casts just make the code harder to read.

Thanks everyone for your suggestions.
0
 
LVL 4

Expert Comment

by:IainHere
Comment Utility
FYI they aren't casts in Axter's method, they're constructors.  So you're concatenating a load of temporary strings.
0
 
LVL 5

Author Comment

by:dirtdart
Comment Utility
Ok, I can see that.  I just wasn't taking enough time to look at it.  Wouldn't that take a lot of extra time/memory to construct each of those temp strings, combine them all together and then destroy them?
0
 
LVL 30

Expert Comment

by:Axter
Comment Utility
>>Ok, I can see that.  I just wasn't taking enough time to
>>look at it.  Wouldn't that take a lot of extra
>>time/memory to construct each of those temp strings,
>>combine them all together and then destroy them?

Depends what you're comparing it to.
It doesn't take that much time if you compare it to the stringstream method.
In most implementations, the temp string method will out perform the stringstream method.
0
 
LVL 5

Author Comment

by:dirtdart
Comment Utility
hmmm.  Seems like everything about C++ and STL works exactly backward to the way it looks like it should.  I need a book, or two, or three about this.  I've probably got my code so screwed up by now that it will never perform.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Update (December 2011): Since this article was published, the things have changed for good for Android native developers. The Sequoyah Project (http://www.eclipse.org/sequoyah/) automates most of the tasks discussed in this article. You can even fin…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now