jake2891 Posted November 11, 2010 Share Posted November 11, 2010 does anyone know why the following sql runs successfully in mysql client but not when run in a php page. I can run other queries in the php page but none that chain together. $sql = "select test1 from hello where test1 = 1; DROP TABLE hello "; $q = mysql_query($sql,$link); thanks Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2010 Share Posted November 11, 2010 Simple, mysql_query() does not support multiple queries - Description resource mysql_query ( string $query [, resource $link_identifier ] ) mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier . Because too many php programmers don't properly validate external data that their scripts receive and put into query strings. Quote Link to comment Share on other sites More sharing options...
jake2891 Posted November 11, 2010 Author Share Posted November 11, 2010 thanks for the reply. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted November 11, 2010 Share Posted November 11, 2010 What he means is, PHP by default doesn't allow two queries to be processed in the same string specifically because developers are generally not smart enough to properly sanitize their incoming user data, so a user puts "'; DROP TABLE `users`;#" inside the "login" form and your site suddenly disappears. PHP has a lot of "quirks" to protect the dumber members of the web dev community. You will have to put your queries in an array and run them one at a time. -Dan Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2010 Share Posted November 11, 2010 And since you would want(need) to check in an actual application what the result of one query is before executing a follow-on query, you would not want to string multiple queries together in an application, like you can in a direct interactive session to a database. Quote Link to comment Share on other sites More sharing options...
mikosiko Posted November 11, 2010 Share Posted November 11, 2010 just to contribute to the general knowledge of others that could read: PFMaBismAd is right in his answer: mysql_query() ... or more in general, mysql API doesn't support multi-queries, however the mysqli API support them and they can be used without problem, taking obviously the necessary precautions to sanitize and properly chain the sentences. As has been said, multi-queries have some risks and they must be used only in very specific and controlled situations where the risks are non-existent (or highly minimized). @ManiacDan "PHP by default doesn't allow two queries to be processed in the same string" that is incorrect, PHP doesn't play any role in allow or not a multi-query; is mysql API (or mysqli) the responsible for that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.