Jump to content

mysqli_multi query save only one row...

cataiin

By cataiin
in PHP Coding Help

 Share

Recommended Posts

cataiin Newbie

cataiin

Posted
Posted

This creates the table and inserts only one row. After refresh, no change. But if I replace $query .= with $query = and then refresh page (after first row was inserted), I get all rows, but first one duplicated.

How I can fix this - to create all rows from first time when the code is executed?

$url = file_get_contents('http://lorem.ipsum');
preg_match_all('|href/(tt\d+)|i', $url, $id);
preg_match_all('|<div id=aba>([^<]*)</div>|i', $url, $date_and_text);
$count = count($date_and_text[1]) - 1;
for ($i=0; $i <= $count; $i++)
{
   $date = substr($date_and_text[1][$i], 0, ;
   $text = substr($date_and_text[1][$i], 22);
   $tomorrow = date('d.m.Y', strtotime('+1 day'));
   $query = "CREATE TABLE `".$tomorrow."` (id varchar(255), date varchar(255), text varchar(255));";
   $query .= "INSERT INTO `".$tomorrow."` VALUES ('{$id[1][$i]}', '{$date}', '{$text}')";
   $send_to_mysql = mysqli_multi_query($connection, $query);
}
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

No offense, but WTF are you doing there? This is like a collection of everything you must never do when writing a web script.

 

So your PHP script has admin rights on the database. Then you fetch some data from an external site (through plain HTTP, I guess) and insert it straight into a multi query without any escaping or whitelisting whatsoever.

 

Do you not understand the implications of this? This is like a mega-SQL-injection. Not only can an attacker manipulate existing queries. They can actually write their own queries and make use of the full permissions you've granted them. Vulnerabilities like this are commonly used to take over the whole server. If this is online, take it down immediately.

 

The next problem is the weird database design. But security is much more important for now.

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

Example for what? Getting your server hacked?

 

You do not use multi-queries. At all. As I've just said, this is a gigantic security risk, because any injection vulnerability (like yours) allows the attacker to run arbitrary queries.

 

If you want to do a dynamic query, you use a http://www.php.net/manual/en/mysqli.prepare.php'>prepared statement. And if you wanna repeat this query multiple times, you simple execute the statement multiple times.

 

If you show us the real code, I'm sure we can help you with it.

Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.