cataiin Posted April 7, 2014 Share Posted April 7, 2014 This creates the table and inserts only one row. After refresh, no change. But if I replace $query .= with $query = and then refresh page (after first row was inserted), I get all rows, but first one duplicated. How I can fix this - to create all rows from first time when the code is executed? $url = file_get_contents('http://lorem.ipsum'); preg_match_all('|href/(tt\d+)|i', $url, $id); preg_match_all('|<div id=aba>([^<]*)</div>|i', $url, $date_and_text); $count = count($date_and_text[1]) - 1; for ($i=0; $i <= $count; $i++) { $date = substr($date_and_text[1][$i], 0, ; $text = substr($date_and_text[1][$i], 22); $tomorrow = date('d.m.Y', strtotime('+1 day')); $query = "CREATE TABLE `".$tomorrow."` (id varchar(255), date varchar(255), text varchar(255));"; $query .= "INSERT INTO `".$tomorrow."` VALUES ('{$id[1][$i]}', '{$date}', '{$text}')"; $send_to_mysql = mysqli_multi_query($connection, $query); } Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 7, 2014 Share Posted April 7, 2014 No offense, but WTF are you doing there? This is like a collection of everything you must never do when writing a web script. So your PHP script has admin rights on the database. Then you fetch some data from an external site (through plain HTTP, I guess) and insert it straight into a multi query without any escaping or whitelisting whatsoever. Do you not understand the implications of this? This is like a mega-SQL-injection. Not only can an attacker manipulate existing queries. They can actually write their own queries and make use of the full permissions you've granted them. Vulnerabilities like this are commonly used to take over the whole server. If this is online, take it down immediately. The next problem is the weird database design. But security is much more important for now. Quote Link to comment Share on other sites More sharing options...
cataiin Posted April 7, 2014 Author Share Posted April 7, 2014 It's just an example. I want to know how to send multiple queries - in my case. Thanks. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 7, 2014 Share Posted April 7, 2014 (edited) Example for what? Getting your server hacked? You do not use multi-queries. At all. As I've just said, this is a gigantic security risk, because any injection vulnerability (like yours) allows the attacker to run arbitrary queries. If you want to do a dynamic query, you use a http://www.php.net/manual/en/mysqli.prepare.php'>prepared statement. And if you wanna repeat this query multiple times, you simple execute the statement multiple times. If you show us the real code, I'm sure we can help you with it. Edited April 7, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.