简体   繁体   中英

executing multi query in mysql_query() function

suppose i have a query like this :

$std_id =   $_POST['std_id'];
$name   =   $_POST['name'];
$family =   $_POST['family'];

$sql    =   "insert into student set
 std_id =   $std_id,
 name   =   '$name',
 family =   '$family'"; 
$query  =   mysql_query($sql,$conn); 

i read in a php security book that if user enter a value for family field like :

ahmad';drop database test#

can delete database test;

but we know that the mysql_query() function only allow to execute one query .
i want to know how can this input to be unsafe

Just worrying about multiple queries is not enough to protect SQL Security ... There are so many questions / answers on SO for you to read about this subject ..

Also good resources on php.net

There are many delusions in your question.
Let's sort them out.

  1. mysql_query() doesn't support multiple queries execution.
    (so, it is useless to delete anything)
  2. dropping tables in the separate query is not the only way of the SQL injection.
    (so, it is useless to delete anything again)
  3. To protect your query you have to follow some well-known techniques, not some handmade inventions of doubtful efficiency.

Using multiple queries separated by a semicolon is not the only way to exploit your queries, it is just a very simple example. It will work, when you are using mysqli_multi_query() .

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM