Re: [PHP-DB] Re: Batch queries in the same mysql_query() :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> php-db

php-db

Re: [PHP-DB] Re: Batch queries in the same mysql_query()
by Denio Mariz other posts by this author
Jun 28 2005 6:02AM messages near this date

[PHP-DB] Re: Batch queries in the same mysql_query() | [PHP-DB] Error testing MySQL

Thank you, dave.

The manual pages didn't say anything about the content of the query
parameter, but a (good) comment from kagekonjou@gmail about how to
escape danger characters from the imput.

Yes, there is a risk of SQL injection by allowing the use of ";"
inside queries. But I think that this would be a user decision, not a
PHP decision (note that mySQL allow the use of ";" in a unique line).

In resume, if PHP is trying to introduce security, it should use a
default behavior to apply it, but also should let the user control
this option. For example, what if I am not reading query parameters
from the user or browser?

Thanks again,

Denio 

On 6/28/05, David Robley <robleyd@[...].au>  wrote:
>  Denio Mariz wrote:
>  
>  > Hi,
>  >
>  > I'm trying to execute multiple queries using mysql_query() function and
>  > I'm getting an error to check SQL syntax.
>  > My PHP code looks like:
>  >
>  > //-------------------------
>  > $sql="select x from y ; insert into y values ( 1, 2 )";
>  > mysql_query( $sql ) or die( mysql_error() );
>  > //-------------------------
>  >
>  > Maybe the problem resides on the character ";", but this queries run
>  > without problems when typed on "mysql" command-line tool. So, if it works
>  > on "mysql" command line, why it doesn't work using mysql_query() ?
>  >
>  > Any hint ?
>  >
>  If you look at php.net/mysql_query it will tell you that the query shouldn't
>  end with a semicolon ";" What it really should say is the query shouldn't
>  _contain_ a semicolon. This is php attempting to protect you from SQL
>  injection.
>  
>  Just do a separate mysql_query for each query.
>  
>  
>  
>  Cheers
>  --
>  David Robley
>  
>  Friction can be a drag sometimes.
>  
>  --
>  PHP Database Mailing List (http://www.php.net/)
>  To unsubscribe, visit: http://www.php.net/unsub.php
>  
>  

-- 

Denio.

...................................................................
Denio Mariz
Teacher, CEFETPB
Researcher, GPRT/UFPE, Brazil

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Thread:

David Robley

Denio Mariz