You can do it with sprintf
, but not alone (safely). On a sane system, use snprintf
twice, once to find out the size to use and the second time to actually do it. This depends on snprintf
returning the number of characters needed when it runs out of room. Linux, BSD, and C99-compatible systems do this; Windows typically does not. In the latter case, you'll need to allocate an initial buffer and allocate a bigger one if snprintf
fails (in a loop until snprintf
succeeds). But on C99, the following will work:
char *buf;
size_t sz;
sz = snprintf(NULL, 0, "select key from answer WHERE key = %s LIMIT 5;", tmp);
buf = malloc(sz + 1); /* make sure you check for != NULL in real code */
snprintf(buf, sz+1, "select key from answer WHERE key = %s LIMIT 5;", tmp);
However, for building SQL, it's far better to use prepared statements. They avoid SQL injection vulnerabilities (and frequently the need for sprintf
). With them, you would prepare the statement "select key from answer where key = ? limit 5;", and then execute it with the parameter tmp
. The SQL engine puts in the string and removes the need to make sure it's properly escaped first.