SamohtVII Posted July 24, 2014 Share Posted July 24, 2014 Can someone tell me the best practice to use multiple sql statements. Right now I have a few statements I need run and it goes something like this: $sql = "UPDATE `details` SET balance=balance+$amount WHERE username = '$user'"; //Run sql statement $sql = "UPDATE `details` SET balanceAva=balance WHERE username = '$user'"; //Run sql statement etc. I have a feeling, and correct me if i'm wrong, but I can do this: $sql = "UPDATE `details` SET balance=balance+$amount WHERE username = '$user';UPDATE `details` SET balanceAva=balance WHERE username = '$user';"; And then run all that at once right? Thanks Link to comment Share on other sites More sharing options...
justsomeguy Posted July 24, 2014 Share Posted July 24, 2014 You can use this, but you're opening yourself up to SQL injection attacks if you're not sanitizing all of the inputs:http://www.php.net/manual/en/mysqli.multi-query.phpIdeally you should be using prepared statements anyway, and then sanitizing isn't an issue. Make sure you read the first note at the bottom of the page also. Link to comment Share on other sites More sharing options...
SamohtVII Posted July 25, 2014 Author Share Posted July 25, 2014 Can you elaborate or link me to some more information about sanitizing output to avoid SQL Injection. Sorry not too experienced here. Thanks Link to comment Share on other sites More sharing options...
justsomeguy Posted July 25, 2014 Share Posted July 25, 2014 There's a short article on prepared statements here:http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/and some more information here:http://forum.codecall.net/topic/44392-php-5-mysqli-prepared-statements/You can't use prepared statements with mysqli_multi_query though. I would suggest dropping the multiple queries and just using individual prepared statements. That's going to expose you to far fewer security issues. If you want to make sure that all of the queries execute, or more specifically that if any query has a problem then it won't change anything, then you can use transactions for that. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now