By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,831 Members | 2,237 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,831 IT Pros & Developers. It's quick & easy.

Multiple statements in query

P: n/a
Is it possible to query multiple statements at once?
Like:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($query);
I'm thinking of PHP4. There is in mysqli the prepare statement,
but I can't use that.

Shmuel.
Jul 17 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On Sun, 13 Jun 2004 23:00:43 +0300, Shmuel <sd*@nic.fi> wrote:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($query);


should work by default but serious webhosters are turning this feature
off for security reasons.

The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"

which may cause you big trouble ;-)

Regards
Marian

--
Tipps und Tricks zu PHP, Coaching und Projektbetreuung
http://www.heddesheimer.de/coaching/
Jul 17 '05 #2

P: n/a
Marian Heddesheimer wrote:
The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"


This is only possible if you don't escape slashes (and ensure integers are
cast as such) when you create the query; and you should *always* do this
otherwise people *will* attempt to do exactly this. It's called sql
injection.

So say you were expecting a variable called "name" to come in from the query
string, you'd construct your query like so:

$sql = "SELECT something FROM sometable WHERE name = '" .
addslashes($_GET['name']) . "'";

Now if they'd set name to "myname'; drop table customers;" you'd end up
with:

SELECT something FROM sometable WHERE name = '"myname\'; drop table
customers;'

Because the ' in the variable is now escaped, the whole attempted sql
injection will go to the server as the string to match against, instead of
trying to run two queries.

--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.