diff --git a/reference/mysqli/mysqli/query.xml b/reference/mysqli/mysqli/query.xml index 4805db6150..3df7427eed 100644 --- a/reference/mysqli/mysqli/query.xml +++ b/reference/mysqli/mysqli/query.xml @@ -77,29 +77,46 @@ The query string. - - Data inside the query should be properly escaped. - + + Security warning: SQL injection + + If the query contains any variable input then + parameterized + prepared statements should be used instead. Alternatively, the + data must be properly formatted and all strings must be escaped using + the mysqli_real_escape_string + function. + + result_mode - Either the constant MYSQLI_USE_RESULT or - MYSQLI_STORE_RESULT depending on the desired - behavior. By default, MYSQLI_STORE_RESULT is used. + The result mode can be one of 3 constants indicating how the result will + be returned from the MySQL server. - If you use MYSQLI_USE_RESULT all subsequent calls - will return error Commands out of sync unless you - call mysqli_free_result + MYSQLI_STORE_RESULT (default) - returns a + mysqli_result object with buffered result set. - With MYSQLI_ASYNC (available with mysqlnd), it is - possible to perform query asynchronously. + MYSQLI_USE_RESULT - returns a + mysqli_result object with unbuffered result set. + As long as there are pending records waiting to be fetched, the + connection line will be busy and all subsequent calls will return error + Commands out of sync. To avoid the error all records + must be fetched from the server or the result set must be discarded by + calling mysqli_free_result. + + + MYSQLI_ASYNC (available with mysqlnd) - the query is + performed asynchronously and no result set is immediately returned. mysqli_poll is then used to get results from such - queries. + queries. Used in combination with either + MYSQLI_STORE_RESULT or + MYSQLI_USE_RESULT constant. @@ -110,9 +127,11 @@ &reftitle.returnvalues; - Returns &false; on failure. For successful queries which produce a result set, such as SELECT, SHOW, DESCRIBE or + Returns &false; on failure. For successful queries which produce a result + set, such as SELECT, SHOW, DESCRIBE or EXPLAIN, mysqli_query will return - a mysqli_result object. For other successful queries, mysqli_query will + a mysqli_result object. For other successful queries, + mysqli_query will return &true;. @@ -125,90 +144,59 @@ connect_errno) { - printf("Connect failed: %s\n", $mysqli->connect_error); - exit(); -} - /* Create table doesn't return a resultset */ -if ($mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City") === TRUE) { - printf("Table myCity successfully created.\n"); -} +$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City"); +printf("Table myCity successfully created.\n"); /* Select queries return a resultset */ -if ($result = $mysqli->query("SELECT Name FROM City LIMIT 10")) { - printf("Select returned %d rows.\n", $result->num_rows); - - /* free result set */ - $result->close(); -} +$result = $mysqli->query("SELECT Name FROM City LIMIT 10"); +printf("Select returned %d rows.\n", $result->num_rows); /* If we have to retrieve large amount of data we use MYSQLI_USE_RESULT */ -if ($result = $mysqli->query("SELECT * FROM City", MYSQLI_USE_RESULT)) { +$result = $mysqli->query("SELECT * FROM City", MYSQLI_USE_RESULT); - /* Note, that we can't execute any functions which interact with the - server until result set was closed. All calls will return an - 'out of sync' error */ - if (!$mysqli->query("SET @a:='this will not work'")) { - printf("Error: %s\n", $mysqli->error); - } - $result->close(); -} - -$mysqli->close(); -?> +/* Note, that we can't execute any functions which interact with the + server until all records have been fully retrieved or the result + set was closed. All calls will return an 'out of sync' error */ +$mysqli->query("SET @a:='this will not work'"); ]]> &style.procedural; +/* Note, that we can't execute any functions which interact with the + server until all records have been fully retrieved or the result + set was closed. All calls will return an 'out of sync' error */ +mysqli_query($link, "SET @a:='this will not work'"); ]]> - &examples.outputs; + &examples.outputs.similar; @@ -220,6 +208,7 @@ Error: Commands out of sync; You can't run this command now mysqli_real_query mysqli_multi_query + mysqli_prepare mysqli_free_result diff --git a/reference/mysqli/mysqli/real-query.xml b/reference/mysqli/mysqli/real-query.xml index 59d170385d..e4e5f08fc5 100644 --- a/reference/mysqli/mysqli/real-query.xml +++ b/reference/mysqli/mysqli/real-query.xml @@ -40,11 +40,19 @@ query - The query, as a string. - - - Data inside the query should be properly escaped. + The query string. + + Security warning: SQL injection + + If the query contains any variable input then + parameterized + prepared statements should be used instead. Alternatively, the + data must be properly formatted and all strings must be escaped using + the mysqli_real_escape_string + function. + +