I try to execute the following query via php:
CREATE TEMPORARY TABLE temp_table
AS
SELECT * FROM vacancies WHERE vacancyid = '22207';
UPDATE temp_table SET vacancyid='22216' WHERE vacancyid='22207';
INSERT INTO newdatabase.vacancies SELECT * FROM temp_table;
DROP TEMPORARY TABLE temp_table;
This gives an error:
Errormessage: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE temp_table SET vacancyid='22216' WHERE vacancyid='22207';
If i execute the query directly in PMA it works fine. The user I connect with in PHP has these priveliges:
GRANT ALL PRIVILEGES ON firstdatabase.* TO 'username'@'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON newdatabase.* TO 'username'@'%' WITH GRANT OPTION;
Anyone got a clue?
PHP code:
//Get the new autoincrement id of the vacancy of individual jobboard
$iNewId = $db->lookup("SELECT vacancyid FROM ".$aBoardInfo['username'].".vacancies ORDER BY vacancyid DESC LIMIT 1");
$iNewId = $iNewId + 1;
$db->query("
CREATE TEMPORARY TABLE temp_table
AS
SELECT * FROM vacancies WHERE vacancyid = '". $iVacancyid ."' ;
UPDATE temp_table SET vacancyid=". $iNewId ." WHERE vacancyid='". $iVacancyid ."' ;
INSERT INTO ".$aBoardInfo['username'].".vacancies SELECT * FROM temp_table ;
DROP TEMPORARY TABLE temp_table ;
");
As it is described in the documentation in example 2
Example #2 SQL Injection
<?php $mysqli = new mysqli("example.com", "user", "password", "database"); $res = $mysqli->query("SELECT 1; DROP TABLE mysql.user"); if (!$res) { echo "Error executing query: (" . $mysqli->errno . ") " . $mysqli->error; } ?>The above example will output:
Error executing query: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE mysql.user' at line 1
Prepared statements
Use of the multiple statement with prepared statements is not supported.