473,791 Members | 2,995 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Multiple statements in query

Is it possible to query multiple statements at once?
Like:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($qu ery);
I'm thinking of PHP4. There is in mysqli the prepare statement,
but I can't use that.

Shmuel.
Jul 17 '05 #1
2 2206
On Sun, 13 Jun 2004 23:00:43 +0300, Shmuel <sd*@nic.fi> wrote:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($qu ery);


should work by default but serious webhosters are turning this feature
off for security reasons.

The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"

which may cause you big trouble ;-)

Regards
Marian

--
Tipps und Tricks zu PHP, Coaching und Projektbetreuun g
http://www.heddesheimer.de/coaching/
Jul 17 '05 #2
Marian Heddesheimer wrote:
The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"


This is only possible if you don't escape slashes (and ensure integers are
cast as such) when you create the query; and you should *always* do this
otherwise people *will* attempt to do exactly this. It's called sql
injection.

So say you were expecting a variable called "name" to come in from the query
string, you'd construct your query like so:

$sql = "SELECT something FROM sometable WHERE name = '" .
addslashes($_GE T['name']) . "'";

Now if they'd set name to "myname'; drop table customers;" you'd end up
with:

SELECT something FROM sometable WHERE name = '"myname\'; drop table
customers;'

Because the ' in the variable is now escaped, the whole attempted sql
injection will go to the server as the string to match against, instead of
trying to run two queries.

--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
7
31566
Can someone help me with multiple "Left Outer Joins"?
by: Steve | last post by:
I have a SQL query I'm invoking via VB6 & ADO 2.8, that requires three "Left Outer Joins" in order to return every transaction for a specific set of criteria. Using three "Left Outer Joins" slows the system down considerably. I've tried creating a temp db, but I can't figure out how to execute two select commands. (It throws the exception "The column prefix 'tempdb' does not match with a table name or alias name used in the query.")
Microsoft SQL Server
5
6412
Multiple level nested Corelated query
by: Zero.NULL | last post by:
My multiple level nested corelated query is not fetching correct result. It work fine on small set of data, but fails on larger set of data. Any clue? Explaining data storing and discussing design would be tough for me here, still to show you how complex I have created my life, here is the query: select (
Microsoft SQL Server
4
16759
Multiple statements in single query batch
by: DG | last post by:
Hi, Can anyone advise how to execute multiple statements in a single query batch. For example- update customers set customer_name = 'Smith' where customer_name = 'Smyth'; select * from customers; I can execute each statement individually but get the 'you have an error in
MySQL Database
7
6170
Executing multiple sql DDL statements
by: Glenn Davy | last post by:
Hidely hodley everyone I'd like to run a series of of sql ddl statements against an msde2000 server. Normally I just deploy cmd file that impliments as osql statement, but I'd like to store the 'patch' in an mdb file and use say ado or even a passthrough statement to execute it. The problem I've got Is I access (?) seems to require me to execute one ddl at a time, otherwise the script breaks at the 'go' statement. While I _could_ do...
Microsoft Access / VBA
2
3131
SQL multiple statements?
by: Annie D via AccessMonster.com | last post by:
Hi, Is it possible to use multiple statements in SQL?? (I’ve never used it before) : I have one query that i'm working with, The statements I want to use are as below, they all work individually, but not together, Access help is as much use as a chocolate fireguard in this case! any suggestions or explainations would be gratefully appreciated:
Microsoft Access / VBA
5
3067
Query data from multiple tables and saving back
by: mimo | last post by:
Hello, I have seen samples on how to pull data from one table and save back to it using the Form View control. How do I pull from multiple tables and save back to multiple tables on one screen? Is there a sample of this somewhere? For example I want to create a Name and an Address from one screen. It has to create a Name Record, a Name Address Record, and a NameAddressJoin Record.
ASP.NET
5
12263
When execute dynamic generated multiple OPENQUERY statements (which linkes to DB2) in SQLServer, I always got SQL1040N The maximum number of applications is already connected to the database. SQLSTATE=57030.
by: alingsjtu | last post by:
Hello, every body. When execute dynamic generated multiple OPENQUERY statements (which linkes to DB2) in SQLServer, I always got SQL1040N The maximum number of applications is already connected to the database. SQLSTATE=57030. Background: I created a linked server to DB2 8.1 database which called GRR_DB2Server. In my stored procedure p_FetchRawData, I need to read some data from this linked server GRR_DB2Server and insert them into
DB2 Database
7
20332
HOWTO Run multiple SQL statements from ASP/ADO to an Oracle 10g.
by: =?Utf-8?B?QVRT?= | last post by:
HOWTO Run multiple SQL statements from ASP/ADO to an Oracle 10g. Please help, I'm trying to write an ASP page to use ADO to run a long query against an Oracle 10g database, to create tables, if they do not already exist. In terms of ASP/ADO, that would be fine in a SQL Server Sense by a simply ASP/Server-Side JavaScript as such: var cnTemp = Server.CreateObject("ADODB.Connection");
ASP / Active Server Pages
0
2396
How to have multiple statements in one query using iDB2Command in .Net
by: harsha318 | last post by:
Hi I need to have a single query and which can have multiple statements For eg: string str = string.Empty; str = "select * from Customers;Select * from Orders"; iDB2Connection iDB2con = new iDB2Connection(connStr); iDB2Command iDBCmd = iDB2con.CreateCommand();
DB2 Database
0
9669
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10207
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
9995
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9029
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7537
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6776
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5431
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5559
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
3
2916
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us