[abhishekgaur]

char * createQuery (Image_Desc *searchCriteria, SEARCHTYPE stype,char *other)
{
	char *ret = NULL;
	int init = 0;
	char *Query = NULL;
	char subQuery[BUFFSIZE]={0};

	if ((stype > 0) && (stype < 10) && searchCriteria) {
		Query = (char *) MALLOC(BUFFSIZE);
		switch(stype){

		case SE_METADATA:
		case SE_RANGETIME:
			{
				sprintf(Query, "select * from DATA");

				if (searchCriteria->ImageID) {
					sprintf(subQuery, "%s %d", " where Img_ID is ", searchCriteria->ImageID);
					strcat(Query, subQuery);
					init = 1;
				}

				if (searchCriteria->ImageType) {
					memset(subQuery, 0, BUFFSIZE);
					if (1 == init) {
						sprintf(subQuery, "%s '%c'", " And Img_Type is ", searchCriteria->ImageType);
					} else {
						sprintf(subQuery, "%s '%c'", " where Img_Type is ", searchCriteria->ImageType);
						init = 1;
					}

					strcat(Query, subQuery);
				}

				if (searchCriteria->ImageFilePath) {
					memset(subQuery, 0, BUFFSIZE);
					if (1 == init) {
						sprintf(subQuery, "%s '%s'", " And Img_FilePath is ", searchCriteria->ImageFilePath);
					} else {
						sprintf(subQuery, "%s '%s'", " where Img_FilePath is ", searchCriteria->ImageFilePath);
						init = 1;
					}
					strcat(Query, subQuery);
				}

				if (searchCriteria->Timestamp) {
					memset(subQuery, 0, BUFFSIZE);
					if (1 == init) {
						sprintf(subQuery, "%s '%s'", " And Img_Timestamp is ", searchCriteria->Timestamp);
					} else {
						sprintf(subQuery, "%s '%s'", " where Img_Timestamp is ", searchCriteria->Timestamp);
						init = 1;
					}
					strcat(Query, subQuery);

					if (other) {
						
						
						
						strcat(Query, "WHERE DATA.Timestamp > '2012/6/05' AND DATA.TIMESTAMP <= '2012/7/06';");
					}
				}

MOD EDIT: Added code tags. When posting code...USE CODE TAGS!!!

This post has been edited by JackOfAllTrades: 19 July 2012 - 03:52 AM

[Skydiver]

Put your code in [code] tags.

I see beautiful code that is ripe for SQL injection attacks...


Anyway, what is the specific problem you need help with in your code above?

This post has been edited by Skydiver: 19 July 2012 - 12:02 AM

[abhishekgaur]

actually one time stamp is coming from searchCriteria->Timestamp and in other i want to add the other time stamp so that a specific range is formed but i am not able to do that i want to inject query so that a range of date can be formed .

[Skydiver]

Why are you "not able to do that"? What have you tried previously? Can you show us your past attempts?

[abhishekgaur]

if (other) {



strcat(Query, "WHERE DATA.Timestamp > '2012/6/05' AND DATA.TIMESTAMP <= '2012/7/06';");
}
} tried this

[Skydiver]

But in the lines above that you were building string using sprintf(), what makes this any different?