[nycphp-talk] mysqli exception problem
Flavio daCosta
nyphp at n0p.net
Mon Nov 5 18:43:02 EST 2007
On 11/05/2007 06:14 PM, Michael Southwell wrote:
> aha, so 'SELECT name FROM wines WHERE color = "red";DELETE FROM wines'
> is two statements in mysql (failing with msyql_query) but one in mysqli?!?!
Correct, mysql_query() processes a string: 'SELECT name FROM wines WHERE
color = "red";DELETE FROM wines' which is two statements.
->prepare () processes a string and returns a prepared statement object
(it doesn't actually run the query) which in turn must optionally have
parameters bound to placeholders and then ->executed ().
What they are describing in their docs is preparing more than one statement:
// Wont work
$query = $demo -> prepare( 'SELECT name FROM wines WHERE color =
?;DELETE FROM wines WHERE color = ?;' )
This is a perfect example of why prepared statements are so much better
for SQL injection avoidance than straight SQL calls. When you prepare a
statement (with known code/static string,) you are explicitly telling
the database where and how the parameters will be used. When you bind
the parameters they do not need to be escaped because the database
knows, what you are binding is what it should use for the previously
identified parameter(s).
Hopefully helpful and not confusing ;-)
flav
More information about the talk
mailing list