On 11/05/2007 06:14 PM, Michael Southwell wrote: > aha, so 'SELECT name FROM wines WHERE color = "red";DELETE FROM wines' > is two statements in mysql (failing with msyql_query) but one in mysqli?!?!
Correct, mysql_query() processes a string: 'SELECT name FROM wines WHERE color = "red";DELETE FROM wines' which is two statements. ->prepare () processes a string and returns a prepared statement object (it doesn't actually run the query) which in turn must optionally have parameters bound to placeholders and then ->executed (). What they are describing in their docs is preparing more than one statement: // Wont work $query = $demo -> prepare( 'SELECT name FROM wines WHERE color = ?;DELETE FROM wines WHERE color = ?;' ) This is a perfect example of why prepared statements are so much better for SQL injection avoidance than straight SQL calls. When you prepare a statement (with known code/static string,) you are explicitly telling the database where and how the parameters will be used. When you bind the parameters they do not need to be escaped because the database knows, what you are binding is what it should use for the previously identified parameter(s). Hopefully helpful and not confusing ;-) flav _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
