mysql - Preventing SQL Injection in C -

i writing c application takes user input , few database queries. aware of risks here of sql injection , wish prevent it.

ideally use parameterized queries, have been unable find functionality in c far. constructing queries such:

char *query; asprintf(&query, "update sometable set somefield='%s';", userinput); 

if unable this, must need filter user input. how should filtering done? enough remove 's , "s? (valid inputs cannot contain them). if so, easiest way of doing in c?

i believe want use prepared statements , parameter binding. not directly interpolate user data queries. see mysql manual info on this.