tags:

views:

37

answers:

4
+1  Q: 

seperated mysql statement query in php

So, I can run the following statements from within mysql itself successfully.

SET @fname = 'point1';
SELECT * FROM country WHERE name=@fname;`

But when I try to pass the query through php like this and run it, I get an error on the second line

$query = "SET @fname = 'point1';";

$query  .=  "SELECT * FROM country WHERE name=@fname;";
+1  A: 

I am not certain why it fails, but rather than writing it with MySQL variables, why not use PHP variables?

In other words, 

$fname = 'point1';
$query = "select * from country where name = '$fname'";

And the normal warning against SQL injection applies, of course.

MJB  2010-05-19 15:48:50
Could also use a prepared statement which would kill SQL injection altogether
Pier-Luc Gendreau  2010-05-19 15:57:54
Yeah, I agree. I was trying to keep it simple.
MJB  2010-05-19 16:17:49
+2  A: 

You can't run multiple statements through PHP's mysql libraries without using a special function. But your SQL variable should persist through your connection, so instead of concatenating the strings and running once, execute each statement separately.

Matt S  2010-05-19 15:49:21
I didn't know they would persist. In Oracle they die (AFAIK)
MJB  2010-05-19 15:50:15
Special function meaning code that parses and separates your statements and runs the queries separately for you.
webbiedave  2010-05-19 15:52:28
There is the mysqli_multi_query function, but I don't recommend it.
Matt S  2010-05-19 15:56:17
A: 

Also have a look at this and this comments at mysql_query() doc page.

hudolejev  2010-05-19 15:50:54
+1  A: 

PHP's mysql drivers do not allow multiple queries to be executed from a single query function call as a security measure. It's a partial mitigation against the worst of SQL injection attacks, making the classic XKCD Bobby Tables attack ineffective.

That's not to say that it makes injection attacks impossible - it just makes the multi-query version of the attacks impossible.

Marc B  2010-05-19 17:58:18

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases