Multiple Statements
MySQL optionally allows having multiple statements in one statement string.
Sending multiple statements at once reduces client-server
round trips but requires special handling.
Multiple statements or multi queries must be executed
with
The MySQL server allows having statements that do return result sets and
statements that do not return result sets in one multiple statement.
Example #1 Multiple Statements
$mysqli= newmysqli("example.com","user","password","database");
if ($mysqli->connect_errno) {
echo"Failed to connect to MySQL: (".$mysqli->connect_errno.") ".$mysqli->connect_error;
}
if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) {
echo"Table creation failed: (".$mysqli->errno.") ".$mysqli->error;
}$sql="SELECT COUNT(*) AS _num FROM test; ";$sql.="INSERT INTO test(id) VALUES (1); ";$sql.="SELECT COUNT(*) AS _num FROM test; ";
if (!$mysqli->multi_query($sql)) {
echo"Multi query failed: (".$mysqli->errno.") ".$mysqli->error;
}
do {
if ($res=$mysqli->store_result()) {var_dump($res->fetch_all(MYSQLI_ASSOC));$res->free();
}
} while ($mysqli->more_results() &&$mysqli->next_result());?>
以上例程会输出:
array(1) {
[0]=>
array(1) {
["_num"]=>
string(1) "0"
}
}
array(1) {
[0]=>
array(1) {
["_num"]=>
string(1) "1"
}
}
Security considerations
The API functions ; DROP DATABASE mysql or ; SELECT SLEEP(999).
If the attacker succeeds in adding SQL to the statement string but
mysqli_multi_query is not used, the server will not
execute the second, injected and malicious SQL statement.
Example #2 SQL Injection
$mysqli= newmysqli("example.com","user","password","database");$res=$mysqli->query("SELECT 1; DROP TABLE mysql.user");
if (!$res) {
echo"Error executing query: (".$mysqli->errno.") ".$mysqli->error;
}?>
以上例程会输出:
Error executing query: (1064) You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax
to use near 'DROP TABLE mysql.user' at line 1
Prepared statements
Use of the multiple statement with prepared statements is not supported.
See also
mysqli_result::next-result()
mysqli_result::more-results()