Re: Re: Batch queries in the same mysql_query()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you, dave.

The manual pages didn't say anything about the content of the query
parameter, but a (good) comment from kagekonjou@gmail about how to
escape danger characters from the imput.

Yes, there is a risk of SQL injection by allowing the use of ";"
inside queries. But I think that this would be a user decision, not a
PHP decision (note that mySQL allow the use of ";" in a unique line).

In resume, if PHP is trying to introduce security, it should use a
default behavior to apply it, but also should let the user control
this option. For example, what if I am not reading query parameters
from the user or browser?

Thanks again,

Denio 

On 6/28/05, David Robley <robleyd@xxxxxxxxxxxxxx> wrote:
> Denio Mariz wrote:
> 
> > Hi,
> >
> > I'm trying to execute multiple queries using mysql_query() function and
> > I'm getting an error to check SQL syntax.
> > My PHP code looks like:
> >
> > //-------------------------
> > $sql="select x from y ; insert into y values ( 1, 2 )";
> > mysql_query( $sql ) or die( mysql_error() );
> > //-------------------------
> >
> > Maybe the problem resides on the character ";", but this queries run
> > without problems when typed on "mysql" command-line tool. So, if it works
> > on "mysql" command line, why it doesn't work using mysql_query() ?
> >
> > Any hint ?
> >
> If you look at php.net/mysql_query it will tell you that the query shouldn't
> end with a semicolon ";" What it really should say is the query shouldn't
> _contain_ a semicolon. This is php attempting to protect you from SQL
> injection.
> 
> Just do a separate mysql_query for each query.
> 
> 
> 
> Cheers
> --
> David Robley
> 
> Friction can be a drag sometimes.
> 
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 

Denio.

...................................................................
Denio Mariz
Teacher, CEFETPB
Researcher, GPRT/UFPE, Brazil

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux