Thank you, dave.
The manual pages didn't say anything about the content of the query
parameter, but a (good) comment from [EMAIL PROTECTED] about how to
escape danger characters from the imput.
Yes, there is a risk of SQL injection by allowing the use of ";"
inside queries. But I think that this would be a user decision, not a
PHP decision (note that mySQL allow the use of ";" in a unique line).
In resume, if PHP is trying to introduce security, it should use a
default behavior to apply it, but also should let the user control
this option. For example, what if I am not reading query parameters
from the user or browser?
Thanks again,
Denio
On 6/28/05, David Robley <[EMAIL PROTECTED]> wrote:
> Denio Mariz wrote:
>
> > Hi,
> >
> > I'm trying to execute multiple queries using mysql_query() function and
> > I'm getting an error to check SQL syntax.
> > My PHP code looks like:
> >
> > //-
> > $sql="select x from y ; insert into y values ( 1, 2 )";
> > mysql_query( $sql ) or die( mysql_error() );
> > //-
> >
> > Maybe the problem resides on the character ";", but this queries run
> > without problems when typed on "mysql" command-line tool. So, if it works
> > on "mysql" command line, why it doesn't work using mysql_query() ?
> >
> > Any hint ?
> >
> If you look at php.net/mysql_query it will tell you that the query shouldn't
> end with a semicolon ";" What it really should say is the query shouldn't
> _contain_ a semicolon. This is php attempting to protect you from SQL
> injection.
>
> Just do a separate mysql_query for each query.
>
>
>
> Cheers
> --
> David Robley
>
> Friction can be a drag sometimes.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Denio.
...
Denio Mariz
Teacher, CEFETPB
Researcher, GPRT/UFPE, Brazil
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
