Jump to content

Multiple sql statements.


SamohtVII

Recommended Posts

Can someone tell me the best practice to use multiple sql statements.

 

Right now I have a few statements I need run and it goes something like this:

 

$sql = "UPDATE `details` SET balance=balance+$amount WHERE username = '$user'";

//Run sql statement

$sql = "UPDATE `details` SET balanceAva=balance WHERE username = '$user'";

//Run sql statement

 

etc.

 

I have a feeling, and correct me if i'm wrong, but I can do this:

$sql = "UPDATE `details` SET balance=balance+$amount WHERE username = '$user';UPDATE `details` SET balanceAva=balance WHERE username = '$user';";

And then run all that at once right?

 

Thanks

Link to comment
Share on other sites

You can use this, but you're opening yourself up to SQL injection attacks if you're not sanitizing all of the inputs:http://www.php.net/manual/en/mysqli.multi-query.phpIdeally you should be using prepared statements anyway, and then sanitizing isn't an issue. Make sure you read the first note at the bottom of the page also.

Link to comment
Share on other sites

There's a short article on prepared statements here:http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/and some more information here:http://forum.codecall.net/topic/44392-php-5-mysqli-prepared-statements/You can't use prepared statements with mysqli_multi_query though. I would suggest dropping the multiple queries and just using individual prepared statements. That's going to expose you to far fewer security issues. If you want to make sure that all of the queries execute, or more specifically that if any query has a problem then it won't change anything, then you can use transactions for that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...