>> I would like to send multiple SQL statements using the C >> API mysql_query. I have a large string with 20 SQL statements. When >> I call mysql_query with that string, only the first one is processed. >> >> Is there a way to do what I'm doing without separating the statements >> into individual calls to mysql_query? > >I beleive this is not possible. If it were, it would give lots of people >many hours of headache. Imagine a badly written script, where you can >"escape out" from the original query, like
>update articles set author='$author' >If you can make several statements with one query, you could make >$author = "whatever'; drop database" It's STILL dangerous even without being able to insert a separate query. Granted, with a select the attacker could probably only dump your entire database, using something like $author = "whatever' or 1" If you have a MySQL-driven web page and putting special characters like single quotes into an input field can draw SQL errors, you've got a BIG problem, unless you really don't care about having your site and/or database hacked (In which case I'd prefer you take it down, as I don't want SPAM relayed through your site showing up in my mailbox.) Quote your input properly (as with mysql_escape_string()) or validate it before feeding it to MySQL. Also, be very careful about allowing stuff INTO your database which will be blatted out unchecked into a web page. It's easy to insert malicious Javascript or an offensive banner ad into even a moderately long text field, like one intended for a Subject: line. Gordon L. Burditt --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php