0

I have a function that can make different types of database connections and, simplified below with only two such $ActionType values, it is the second one I am having difficulty with. No errors but no results either. Any ideas?

The query contains multiple queries such as:

$Query = "SQL statement #1;";
$Query .= "SQL statement #2;";
$Query .= "SQL statement #3;";

and this is the function, cut down to fit here:

function DBConnect($Query, $ActionType, $DBname, $selType='array') {
    $ActionType = trim(strtolower($ActionType));

    if (!$Query) :
        exit();
    endif;

    $MySQLError = "";
    $mysqli = dbConn($DBname);

    if ($Query && $mysqli->connect_errno != 0):
        $MySQLError = "<div class=\"ErrorMessage\">";
        $MySQLError .= printf("Connect failed: %s\n", $mysqli->connect_error);
        $MySQLError .= "</div>\n\n";
        return $MySQLError;
        exit();
    endif;

    switch ($ActionType) :
        case "multiple":
            if ($result = $mysqli->query($Query)) :
                $numrowsCat = $result->num_rows;
                if ($numrowsCat >= 1) :
                    $result = $mysqli->query($Query);
                    if ($selType === "assoc") :
                        while($row = $result->fetch_assoc()) :
                            $results_array[] = $row;
                        endwhile;
                    else :                  
                        while($row = $result->fetch_array()) :
                            $results_array[] = $row;
                        endwhile;
                    endif;
                    return $results_array;
                endif;
                $MySQLError = ($mysqli->connect_errno) ? mysqli_error($mysqli) : "";
                $mysqli->close();
                if ($MySQLError) return $MySQLError;
            endif;
        break;

        case "multiquery":
            if ($result = $mysqli->multi_query($Query)) :
                if ($result) :
                    while($row = $result->fetch_array()) :
                        $results_array[] = $row;
                    endwhile;
                    return $results_array;
                endif;

                $MySQLError = ($mysqli->connect_errno) ? mysqli_error($mysqli) : "";
                $mysqli->close();
                if ($MySQLError) return $MySQLError;
            endif;
        break;

    endswitch;
}
DonP
  • 725
  • 1
  • 8
  • 27
  • Why do you use `multi_query` at all? You are most likely vulnerable to SQL injection. – Dharman Jun 16 '19 at 17:43
  • Because I have three queries that must be run together and I can see no other way to do it. Why would be be any more vulnerable to SQL injection than any other type? – DonP Jun 16 '19 at 17:58
  • You could use transactions, or just simply execute each query one after another. `multi_query ` is a bad idea because you can't bind data to it. Without passing data to SQL you can only do so much, which makes this function pretty much useless, unless you inject the data into SQL. – Dharman Jun 16 '19 at 18:01
  • Unfortunately I need to find a way to do it within the confines of the existing function as posted which is using mysqli. In this case, it is only fetching data, not inserting anything. – DonP Jun 16 '19 at 18:11
  • I said injecting, as in putting PHP variables inside of SQL string. This can happen for SELECT statements too. You can use prepared statements and/or transactions with MySQLi too. About your current problem, I can't see you fetching the results from `multi_query` using `store_result`/`next_result` – Dharman Jun 16 '19 at 18:14
  • That's why I'm asking for help with my code to make it work. – DonP Jun 16 '19 at 18:16
  • Have you read the example in the manual already? [`multi_query`](https://www.php.net/manual/en/mysqli.multi-query.php) – Dharman Jun 16 '19 at 18:17
  • Yes, that's what I based my code on although I wasn't sure why the do, especially as I don't know of enddo in the syntax that the rest of my code uses. – DonP Jun 16 '19 at 18:19

0 Answers0