multiple php,PHP Multiple Statements

Multiple Statements

MySQL optionally allows having multiple statements in one statement string.

Sending multiple statements at once reduces client-server

round trips but requires special handling.

Multiple statements or multi queries must be executed

with

The MySQL server allows having statements that do return result sets and

statements that do not return result sets in one multiple statement.

Example #1 Multiple Statements

$mysqli= newmysqli("example.com","user","password","database");

if ($mysqli->connect_errno) {

echo"Failed to connect to MySQL: (".$mysqli->connect_errno.") ".$mysqli->connect_error;

}

if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) {

echo"Table creation failed: (".$mysqli->errno.") ".$mysqli->error;

}$sql="SELECT COUNT(*) AS _num FROM test; ";$sql.="INSERT INTO test(id) VALUES (1); ";$sql.="SELECT COUNT(*) AS _num FROM test; ";

if (!$mysqli->multi_query($sql)) {

echo"Multi query failed: (".$mysqli->errno.") ".$mysqli->error;

}

do {

if ($res=$mysqli->store_result()) {var_dump($res->fetch_all(MYSQLI_ASSOC));$res->free();

}

} while ($mysqli->more_results() &&$mysqli->next_result());?>

以上例程会输出：

array(1) {

[0]=>

array(1) {

["_num"]=>

string(1) "0"

}

}

array(1) {

[0]=>

array(1) {

["_num"]=>

string(1) "1"

}

}

Security considerations

The API functions ; DROP DATABASE mysql or ; SELECT SLEEP(999).

If the attacker succeeds in adding SQL to the statement string but

mysqli_multi_query is not used, the server will not

execute the second, injected and malicious SQL statement.

Example #2 SQL Injection

$mysqli= newmysqli("example.com","user","password","database");$res=$mysqli->query("SELECT 1; DROP TABLE mysql.user");

if (!$res) {

echo"Error executing query: (".$mysqli->errno.") ".$mysqli->error;

}?>

以上例程会输出：

Error executing query: (1064) You have an error in your SQL syntax;

check the manual that corresponds to your MySQL server version for the right syntax

to use near 'DROP TABLE mysql.user' at line 1

Prepared statements

Use of the multiple statement with prepared statements is not supported.

See also

mysqli_result::next-result()

mysqli_result::more-results()