>> I would like to send multiple SQL statements using the C
>> API mysql_query. I have a large string with 20 SQL statements. When
>> I call mysql_query with that string, only the first one is processed.
>>
>> Is there a way to do what I'm doing without separating the statements
>> into individual calls to mysql_query?
>
>I beleive this is not possible. If it were, it would give lots of people
>many hours of headache. Imagine a badly written script, where you can
>"escape out" from the original query, like
>update articles set author='$author'
>If you can make several statements with one query, you could make
>$author = "whatever'; drop database"
It's STILL dangerous even without being able to insert a separate
query. Granted, with a select the attacker could probably only dump
your entire database, using something like
$author = "whatever' or 1"
If you have a MySQL-driven web page and putting special characters
like single quotes into an input field can draw SQL errors, you've
got a BIG problem, unless you really don't care about having your
site and/or database hacked (In which case I'd prefer you take it
down, as I don't want SPAM relayed through your site showing up in
my mailbox.) Quote your input properly (as with mysql_escape_string())
or validate it before feeding it to MySQL.
Also, be very careful about allowing stuff INTO your database which
will be blatted out unchecked into a web page. It's easy to insert
malicious Javascript or an offensive banner ad into even a moderately
long text field, like one intended for a Subject: line.
Gordon L. Burditt
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
