作者:hnzhenlin | 来源:互联网 | 2023-05-19 00:53
theproblemisthefollowing:IhaveaseriesofINSERTquerypackedinaphparray.Throughanimpl
the problem is the following: I have a series of INSERT query packed in a php array. Through an implode function I send the total query to the db engine (using mysqli class).
问题如下:我在php数组中打包了一系列INSERT查询。通过implode函数,我将总查询发送到db引擎(使用mysqli类)。
PHP Code:
$query = array();
foreach ($intestazione as $i => $val) {
$query[] = "INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) "
. "VALUES ('$id_tabella', '$val', '$i') ";
}
if ($matper_connection->query(implode(';',$query)) === FALSE) {
die ("Query error:
".$matper_connection->error."
".implode(';
',$query));
}
Browser result:
Query non riuscita:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'AfS',' at line 1
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'AfS Pulito', '0') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'AfS', '1') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Denominazione', '2') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'TR di Riferimento', '3') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Riferimento schematico', '4') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Campo', '5') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Applicabilità', '6') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Evento', '7') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', '', '8') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'PER', '9') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'ROE', '10') ;
INSERT INTO `intestazioni` (`id_tabella`, `nome`, `ordine`) VALUES ('18', 'Note', '11')
If I copy the exact output text (also erasing the
SQL field of phpMySql, the total query works correctly.
如果我将确切的输出文本(也删除调试期间添加的
)复制到phpMySql的SQL字段中,则总查询可以正常工作。
I can't figure out what's the problem...
我无法弄清楚问题是什么......
Thank's in advance for any advice...
提前感谢任何建议......
1 个解决方案
0
The API functions mysqli_query() and mysqli_real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the likeliness of accidental SQL injection attacks. http://php.net/manual/en/mysqli.quickstart.multiple-statement.php
API函数mysqli_query()和mysqli_real_query()不设置激活服务器中多个查询所需的连接标志。额外的API调用用于多个语句,以减少意外SQL注入攻击的可能性。 http://php.net/manual/en/mysqli.quickstart.multiple-statement.php
For multiple queries in single command you have use for example mysqli::multi_query.
对于单个命令中的多个查询,您可以使用例如mysqli :: multi_query。
Basicly you can just change
基本上你可以改变
$matper_connection->query(implode(';',$query)) === FALSE
to
$matper_connection->multi_query(implode(';',$query)) === FALSE
Documentation for mysqli::multi_query can be found at: http://php.net/manual/en/mysqli.multi-query.php
有关mysqli :: multi_query的文档,请访问:http://php.net/manual/en/mysqli.multi-query.php
Suggestion
I would suggest that you modify your code so that inserts everything in one statement if you allow user input in your SQL. Example:
我建议您修改代码,以便在SQL中允许用户输入时将所有内容插入一个语句中。例:
INSERT INTO
`intestazioni` (`id_tabella`, `nome`, `ordine`)
VALUES
('18', 'AfS Pulito', '0'),
('18', 'AfS', '1'),
('18', 'Denominazione', '2'),
...
In this way you can use the normal mysql::query without worrying SQL injections that executes more than one queries. You still need to escape user's input to secure your queries.
通过这种方式,您可以使用正常的mysql :: query,而无需担心执行多个查询的SQL注入。您仍然需要转义用户的输入以保护您的查询。
京公网安备 11010802041100号