Thank you, dave. The manual pages didn't say anything about the content of the query parameter, but a (good) comment from [EMAIL PROTECTED] about how to escape danger characters from the imput.
Yes, there is a risk of SQL injection by allowing the use of ";" inside queries. But I think that this would be a user decision, not a PHP decision (note that mySQL allow the use of ";" in a unique line). In resume, if PHP is trying to introduce security, it should use a default behavior to apply it, but also should let the user control this option. For example, what if I am not reading query parameters from the user or browser? Thanks again, Denio On 6/28/05, David Robley <[EMAIL PROTECTED]> wrote: > Denio Mariz wrote: > > > Hi, > > > > I'm trying to execute multiple queries using mysql_query() function and > > I'm getting an error to check SQL syntax. > > My PHP code looks like: > > > > //------------------------- > > $sql="select x from y ; insert into y values ( 1, 2 )"; > > mysql_query( $sql ) or die( mysql_error() ); > > //------------------------- > > > > Maybe the problem resides on the character ";", but this queries run > > without problems when typed on "mysql" command-line tool. So, if it works > > on "mysql" command line, why it doesn't work using mysql_query() ? > > > > Any hint ? > > > If you look at php.net/mysql_query it will tell you that the query shouldn't > end with a semicolon ";" What it really should say is the query shouldn't > _contain_ a semicolon. This is php attempting to protect you from SQL > injection. > > Just do a separate mysql_query for each query. > > > > Cheers > -- > David Robley > > Friction can be a drag sometimes. > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Denio. ................................................................... Denio Mariz Teacher, CEFETPB Researcher, GPRT/UFPE, Brazil -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
