bitt3n
asked on
why does this query execute fine in MySQL but not using mysql_query()?
the following query
set @num := 0, @shop_id := NULL;
select shop_id, date
from (
select shop_id, date,
@num := if(@shop_id = shop_id, @num + 1, 1) as row_number,
@shop_id := shop_id as dummy
from products
order by shop_id, date DESC
) as x where x.row_number <= 10;
executes fine when I run it through phpMyAdmin, but when I run it against the same database using$query = "SET @num :=0,
@shop_id := NULL ;
SELECT shop_id, date
FROM (
SELECT shop_id, date, @num := IF( @shop_id = shop_id, @num +1, 1 ) AS row_number, @shop_id := shop_id AS dummy
FROM products
ORDER BY shop_id, DATE DESC
) AS x
WHERE x.row_number <=10;";
$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
I getQuery: SET @num :=0, @shop_id := NULL ; SELECT shop_id, date FROM ( SELECT shop_id, date, @num := IF( @shop_id = shop_id, @num +1, 1 ) AS row_number, @shop_id := shop_id AS dummy FROM products ORDER BY shop_id, DATE DESC ) AS x WHERE x.row_number <=10;
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; SELECT shop_id, date FROM ( SELECT shop_id, date, @num := IF( @shop_id = shop_' at line 2
what am I doing wrong? I noticed that if I remove the user variable initialization line ('SET' etc.) the query executes, but obviously not with the correct result.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks that works. I foolishly didn't realize the variables would persist between the calls to mysql_query().
I'm curious, given the fact that mysql_query() only accepts one query at a time, how a sql injection is ever possible, since my understanding is that the injection occurs when someone adds a second query to the first when submitting data, as in
'; DROP DATABASE;
or whatever.
I'm curious, given the fact that mysql_query() only accepts one query at a time, how a sql injection is ever possible, since my understanding is that the injection occurs when someone adds a second query to the first when submitting data, as in
'; DROP DATABASE;
or whatever.
ASKER
thanks!
Good point. This is the prevention for executing multiple queries. You cannot drop database in mysql_query, but you can add string variables ' or 1= 1 '.
ASKER
ah that makes sense thanks again
http://www.php.net/manual/en/function.mysql-query.php#16878
You have to do that one at a time.