List:General Discussion« Previous MessageNext Message »
From:Gordon Burditt Date:November 22 2001 8:15pm
Subject:Re: How to send multiple SQL statements using C API mysql_query?
View as plain text  
>> I would like to send multiple SQL statements using the C
>> API mysql_query.  I have a large string with 20 SQL statements.  When
>> I call mysql_query with that string, only the first one is processed.
>> 
>> Is there a way to do what I'm doing without separating the statements
>> into individual calls to mysql_query?
>
>I beleive this is not possible. If it were, it would give lots of people
>many hours of headache. Imagine a badly written script, where you can
>"escape out" from the original query, like

>update articles set author='$author'

>If you can make several statements with one query, you could make

>$author = "whatever'; drop database"

It's STILL dangerous even without being able to insert a separate
query.  Granted, with a select the attacker could probably only dump
your entire database, using something like 
	$author = "whatever' or 1"

If you have a MySQL-driven web page and putting special characters
like single quotes into an input field can draw SQL errors, you've
got a BIG problem, unless you really don't care about having your
site and/or database hacked (In which case I'd prefer you take it
down, as I don't want SPAM relayed through your site showing up in
my mailbox.)  Quote your input properly (as with mysql_escape_string())
or validate it before feeding it to MySQL.

Also, be very careful about allowing stuff INTO your database which
will be blatted out unchecked into a web page.  It's easy to insert
malicious Javascript or an offensive banner ad into even a moderately
long text field, like one intended for a Subject: line.

					Gordon L. Burditt
Thread
How to send multiple SQL statements using C API mysql_query?Anna Winkler20 Nov
  • Re: How to send multiple SQL statements using C API mysql_query?Attila Beno20 Nov
Re: How to send multiple SQL statements using C API mysql_query?(Gordon Burditt)22 Nov