Page 1 of 1
passing connection string as parameter for insert function
Posted: Sun Mar 16, 2008 9:12 pm
by controlxjp
simple question here :
if i were to create an sql insert function that includes a parameter for the connection string,
eg .
set autocommit false ; insert queries; call external insert function; update queries; set autocommit true;
does it differ so much from say if instead i just performed all the queries in one single main block?
btw, the reason i had to create a separate function is that it performs generic insert queries... in case that wasn't quite obvious
Re: passing connection string as parameter for insert function
Posted: Tue Mar 18, 2008 11:51 am
by devbro
it is a better idea to do each command seperately.
one of the major problems with query function in php is the sql-injection attackes.
there have been several way to prevent them such as adding slashes or killing the connection if the strings looked like sql statements.
the last and most effective solution is to only execute the first statement in an string set. It is done regardless of any error so:
ST1:ST2:ST3 only runs ST1
ST1_ERR:ST2:ST3 only runs ST1_ERR
the second reason for running statement separately is due to future compatibility and cross system issues.
Re: passing connection string as parameter for insert function
Posted: Sun Mar 23, 2008 6:46 pm
by controlxjp
that's really not where i'm getting at...
i'm talking about creating php functions with the connection string variable as a parameter
somewhere in my main block i might have this :
$conString = mysqli_connect('localhost','user','password','schema');
(set autocommit to false)
$Query = blah blah...
$Result....
CallFunction($conString, $ResultArray);
where the CallFunction is another sql block of perhaps, updates / insert queries
(set autocommit to true)
so basically, I'm asking how much of a difference it is for me to establish one connection string and pass it around before making the commit /
or create separate connections instead each time i invoke separate functions...
oh... and, i'm not passing user input directly into sql queries...