Link to home
Start Free TrialLog in
Avatar of bitt3n
bitt3n

asked on

why does this query execute fine in MySQL but not using mysql_query()?

the following query
set @num := 0, @shop_id := NULL;


select shop_id, date
from (
   select shop_id, date,
      @num := if(@shop_id = shop_id, @num + 1, 1) as row_number,
      @shop_id := shop_id as dummy
  from products
  order by shop_id, date DESC
) as x where x.row_number <= 10;

Open in new window

executes fine when I run it through phpMyAdmin, but when I run it against the same database using
$query = "SET @num :=0,
@shop_id := NULL ;
SELECT shop_id, date
FROM (
SELECT shop_id, date, @num := IF( @shop_id = shop_id, @num +1, 1 ) AS row_number, @shop_id := shop_id AS dummy
FROM products
ORDER BY shop_id, DATE DESC
) AS x
WHERE x.row_number <=10;";

$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

Open in new window

I get
Query: SET @num :=0, @shop_id := NULL ; SELECT shop_id, date FROM ( SELECT shop_id, date, @num := IF( @shop_id = shop_id, @num +1, 1 ) AS row_number, @shop_id := shop_id AS dummy FROM products ORDER BY shop_id, DATE DESC ) AS x WHERE x.row_number <=10; 
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; SELECT shop_id, date FROM ( SELECT shop_id, date, @num := IF( @shop_id = shop_' at line 2

Open in new window

what am I doing wrong? I noticed that if I remove the user variable initialization line ('SET' etc.) the query executes, but obviously not with the correct result.
Avatar of Lukasz Chmielewski
Lukasz Chmielewski
Flag of Poland image
It appears that you cannot execute multiple ";" spearated queries in one mysql_query.
http://www.php.net/manual/en/function.mysql-query.php#16878
You have to do that one at a time.
ASKER CERTIFIED SOLUTION
Avatar of Lukasz Chmielewski
Lukasz Chmielewski
Flag of Poland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bitt3n
bitt3n

ASKER

thanks that works. I foolishly didn't realize the variables would persist between the calls to mysql_query().

I'm curious, given the fact that mysql_query() only accepts one query at a time, how a sql injection is ever possible, since my understanding is that the injection occurs when someone adds a second query to the first when submitting data, as in

'; DROP DATABASE;

or whatever.
Avatar of bitt3n
bitt3n

ASKER

thanks!
Avatar of Lukasz Chmielewski
Lukasz Chmielewski
Flag of Poland image
Good point. This is the prevention for executing multiple queries. You cannot drop database in mysql_query, but you can add string variables ' or 1= 1 '.
Avatar of bitt3n
bitt3n

ASKER

ah that makes sense thanks again