jake2891 Posted November 11, 2010 Share Posted November 11, 2010 does anyone know why the following sql runs successfully in mysql client but not when run in a php page. I can run other queries in the php page but none that chain together. $sql = "select test1 from hello where test1 = 1; DROP TABLE hello "; $q = mysql_query($sql,$link); thanks Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/ Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2010 Share Posted November 11, 2010 Simple, mysql_query() does not support multiple queries - Description resource mysql_query ( string $query [, resource $link_identifier ] ) mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier . Because too many php programmers don't properly validate external data that their scripts receive and put into query strings. Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/#findComment-1133030 Share on other sites More sharing options...
jake2891 Posted November 11, 2010 Author Share Posted November 11, 2010 thanks for the reply. Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/#findComment-1133034 Share on other sites More sharing options...
ManiacDan Posted November 11, 2010 Share Posted November 11, 2010 What he means is, PHP by default doesn't allow two queries to be processed in the same string specifically because developers are generally not smart enough to properly sanitize their incoming user data, so a user puts "'; DROP TABLE `users`;#" inside the "login" form and your site suddenly disappears. PHP has a lot of "quirks" to protect the dumber members of the web dev community. You will have to put your queries in an array and run them one at a time. -Dan Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/#findComment-1133038 Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2010 Share Posted November 11, 2010 And since you would want(need) to check in an actual application what the result of one query is before executing a follow-on query, you would not want to string multiple queries together in an application, like you can in a direct interactive session to a database. Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/#findComment-1133043 Share on other sites More sharing options...
mikosiko Posted November 11, 2010 Share Posted November 11, 2010 just to contribute to the general knowledge of others that could read: PFMaBismAd is right in his answer: mysql_query() ... or more in general, mysql API doesn't support multi-queries, however the mysqli API support them and they can be used without problem, taking obviously the necessary precautions to sanitize and properly chain the sentences. As has been said, multi-queries have some risks and they must be used only in very specific and controlled situations where the risks are non-existent (or highly minimized). @ManiacDan "PHP by default doesn't allow two queries to be processed in the same string" that is incorrect, PHP doesn't play any role in allow or not a multi-query; is mysql API (or mysqli) the responsible for that. Link to comment https://forums.phpfreaks.com/topic/218392-multiple-query-help/#findComment-1133169 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.