How can I to pass parameters in string in C language?

For example:

char* name;
char* class;
char* instance;

...
...

sql = "create table modulo(id, nome, classe, istanza);";

I would like to pass nome, class and istanza as parameters

Thanks in advance for helping

Where does the actual data come from? Are name, etc. fixed values that will be a permanent part of the program, or will they come from the user, command line, file, etc. at run time?
ta0kira

I'd like string where I insert parameters passed from command line.
In this way, I make sql command.

For example:

./myprogram modulo name class instance

and into myprogram to build

sql = "create table modulo(id, name, class, instance);";

Like below in shell scripiting:

echo 'create table $mod(id, $n, $c, $i)'

I'd like a string with 'formal parameter', also if this is not exactly right.

In order to access the command words, the main() function must have a prototype similar to the following.
int main(int argc, char * argv[])

The names argc and argv are usually used for the parameters, but a programmer could use different names.
The command words can be accessed as argv[0] through argv[argc - 1]. The program name is the first word on the command line, which is argv[0]. The command-line arguments are argv[1] through argv[argc - 1].

For example
myecho aaa bbb ccc

When this command is executed, the command interpreter calls the main() function of the myecho program with 4 passed as the argc argument and an array of 4 strings as the argv argument. argc contains the following strings.
argv[0] - "myecho"
argv[1] - "aaa"
argv[2] - "bbb"
argv[3] - "ccc"

http://www.d.umn.edu/~gshute/C/argv.html

Gentoo

I think shifter means that he would like to compose his query string from variables, rather than have them hardcoded into literal strings. He can use sprintf() to print to a character array (string), or use a sequence of strcat() calls to iteratively compose the string.
Is this close to what you are looking for, shifter?
--- rod.

If you use that method, use snprintf instead of sprintf to avoid buffer overflow.
ta0kira

snprintf only gives the illusion of safety.

For instance, if someone gives the following arguments:

./foo %s garbage %-12d 13

what is the output? How does snprintf behave? format string vulnerabilities are just as easily exploited as buffer lengths. If this is just for home use, sprintf is fine.

In that case the output would be "create table %s(id, garbage, %-12d, 13);". The formatted output functions don't treat the additional parameters like the format string. If there is a %s, they print it (or store it in a string) exactly as written. That said, there is still an issue with SQL injection attacks that should be addressed.

Not sure what you're talking about. Using user-provided strings as the format string is always a security weakness regardless of the function used. The point of snprintf is that if I tell it I only have X characters available, it won't write more than that.ta0kira