473,396 Members | 1,924 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > multiple statements in query

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Multiple statements in query

Is it possible to query multiple statements at once?
Like:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($query);
I'm thinking of PHP4. There is in mysqli the prepare statement,
but I can't use that.

Shmuel.
Jul 17 '05 #1
2 2188
On Sun, 13 Jun 2004 23:00:43 +0300, Shmuel <sd*@nic.fi> wrote:
$query = "set @p := 1; select @p + 1";
$results = mysql_query($query);


should work by default but serious webhosters are turning this feature
off for security reasons.

The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"

which may cause you big trouble ;-)

Regards
Marian

--
Tipps und Tricks zu PHP, Coaching und Projektbetreuung
http://www.heddesheimer.de/coaching/
Jul 17 '05 #2
Marian Heddesheimer wrote:
The reason is, when a user on your website should enter a name and
enter this instead:

myname'; drop table customers;

your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"


This is only possible if you don't escape slashes (and ensure integers are
cast as such) when you create the query; and you should *always* do this
otherwise people *will* attempt to do exactly this. It's called sql
injection.

So say you were expecting a variable called "name" to come in from the query
string, you'd construct your query like so:

$sql = "SELECT something FROM sometable WHERE name = '" .
addslashes($_GET['name']) . "'";

Now if they'd set name to "myname'; drop table customers;" you'd end up
with:

SELECT something FROM sometable WHERE name = '"myname\'; drop table
customers;'

Because the ' in the variable is now escaped, the whole attempted sql
injection will go to the server as the string to match against, instead of
trying to run two queries.

--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
Jul 17 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
Can someone help me with multiple "Left Outer Joins"?
by: Steve | last post by:
I have a SQL query I'm invoking via VB6 & ADO 2.8, that requires three "Left Outer Joins" in order to return every transaction for a specific set of criteria. Using three "Left Outer Joins"...
Microsoft SQL Server
5
Multiple level nested Corelated query
by: Zero.NULL | last post by:
My multiple level nested corelated query is not fetching correct result. It work fine on small set of data, but fails on larger set of data. Any clue? Explaining data storing and discussing...
Microsoft SQL Server
4
Multiple statements in single query batch
by: DG | last post by:
Hi, Can anyone advise how to execute multiple statements in a single query batch. For example- update customers set customer_name = 'Smith' where customer_name = 'Smyth'; select * from...
MySQL Database
7
Executing multiple sql DDL statements
by: Glenn Davy | last post by:
Hidely hodley everyone I'd like to run a series of of sql ddl statements against an msde2000 server. Normally I just deploy cmd file that impliments as osql statement, but I'd like to store the...
Microsoft Access / VBA
2
SQL multiple statements?
by: Annie D via AccessMonster.com | last post by:
Hi, Is it possible to use multiple statements in SQL?? (I’ve never used it before) : I have one query that i'm working with, The statements I want to use are as below, they all work...
Microsoft Access / VBA
5
Query data from multiple tables and saving back
by: mimo | last post by:
Hello, I have seen samples on how to pull data from one table and save back to it using the Form View control. How do I pull from multiple tables and save back to multiple tables on one...
ASP.NET
5
When execute dynamic generated multiple OPENQUERY statements (which linkes to DB2) in SQLServer, I always got SQL1040N The maximum number of applications is already connected to the database. SQLSTATE=57030.
by: alingsjtu | last post by:
Hello, every body. When execute dynamic generated multiple OPENQUERY statements (which linkes to DB2) in SQLServer, I always got SQL1040N The maximum number of applications is already connected...
DB2 Database
7
HOWTO Run multiple SQL statements from ASP/ADO to an Oracle 10g.
by: =?Utf-8?B?QVRT?= | last post by:
HOWTO Run multiple SQL statements from ASP/ADO to an Oracle 10g. Please help, I'm trying to write an ASP page to use ADO to run a long query against an Oracle 10g database, to create tables,...
ASP / Active Server Pages
0
How to have multiple statements in one query using iDB2Command in .Net
by: harsha318 | last post by:
Hi I need to have a single query and which can have multiple statements For eg: string str = string.Empty; str = "select * from Customers;Select * from Orders"; iDB2Connection iDB2con =...
DB2 Database
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!