executing multi query in mysql_query() function

Question

suppose i have a query like this :

$std_id =   $_POST['std_id'];
$name   =   $_POST['name'];
$family =   $_POST['family'];

$sql    =   "insert into student set
 std_id =   $std_id,
 name   =   '$name',
 family =   '$family'"; 
$query  =   mysql_query($sql,$conn); 

i read in a php security book that if user enter a value for family field like :

ahmad';drop database test#

can delete database test;

but we know that the mysql_query() function only allow to execute one query .
i want to know how can this input to be unsafe

Answer 1

Just worrying about multiple queries is not enough to protect SQL Security ... There are so many questions / answers on SO for you to read about this subject ..

• How can I prevent SQL injection in PHP?
• GET parameters vulnerable to SQL Injection - PHP
• php sql injection

Also good resources on php.net

• http://php.net/manual/en/function.mysql-real-escape-string.php
• http://php.net/manual/en/security.database.sql-injection.php

Answer 2

There are many delusions in your question.
Let's sort them out.

1. mysql_query() doesn't support multiple queries execution.
   (so, it is useless to delete anything)
2. dropping tables in the separate query is not the only way of the SQL injection.
   (so, it is useless to delete anything again)
3. To protect your query you have to follow some well-known techniques, not some handmade inventions of doubtful efficiency.

Answer 3

Using multiple queries separated by a semicolon is not the only way to exploit your queries, it is just a very simple example. It will work, when you are using mysqli_multi_query().