Re: PS Re: GUI designer in html [message #182481 is a reply to message #182467] |
Wed, 07 August 2013 16:51 |
bill
Messages: 310 Registered: October 2010
Karma:
|
Senior Member |
|
|
On 2013-08-05 7:32 PM, The Natural Philosopher wrote:
....
>>>
>>> The MySQL server allows having statements that do return result sets and
>>> statements that do not return result sets in one multiple statement.
>>> "
>>>
>>
>> You need to scroll down to the middle of the page and read
>> *Security considerations* and *Example #2*.
>>
>>
> Furthermore the manual for mysql_query (as opposed to mysqli_query)
> actually states:
>
> "*mysql_query()* sends a unique query *(multiple queries are not
> supported)* to the currently active database on the server that's
> associated with the specified /|link_identifier|/. "
Yes, that's true. As a relative newcomer to PHP and the fact that MYSQL
is being deprecated, as long as mysqli is available on my servers;
wouldn't it be wise to go in the mysqlI direction?
I've no intention of making multiple queries currently but ... I
haven't used "i" yet either so I'm far from guru; I can only go by what
I read and the MYSQL reference to mysqli for multiple queries, should
the occasion arise. In fact, I've only ever experimented with MYSQL
itself; though I am using it on one of my own sites.
To me, it simply seems like the right way to go. Do you disagree
with that?
> so it would seem that this actual sql injection method is an urban myth.
Well, I've seen a few exploits and how they're done, and I've used one
of them, and I did successfully trash my database. So, not so sure
that's 100% the case; perhaps it's just you're good at writing
sanitize/validate code?
>
> From PHP anyway.
>
> ISTR I actually tried it once to see if my code was robust. I failed to
> destroy the database or indeed any data, at all.
>
Interesting observations/experiment; thanks for the info. Don't you
think it's actually due to your own code? Just curious, mostly.
Good post,
Twayne`
|
|
|