mysqli_multi_query not doing anything

Question

I am doing an ajax call to a PHP which should do 2 SQL queries. The queries look like this:

$sql = "UPDATE customers SET customers_newsletter=1 WHERE customers_id ='".$cid."'";
   $sql .= "INSERT INTO coupons (coupon_id, 
                                 coupon_type, 
                                 coupon_code,
                                 coupon_amount, 
                                 coupon_minimum_order, 
                                 coupon_start_date, 
                                 coupon_expire_date, 
                                 uses_per_coupon, 
                                 uses_per_user, 
                                 coupon_active) 
                         VALUES ('".$cid."',
                                 'NL_".$cid_substr."".$cid."',
                                 'F',
                                 '5.0000',
                                 '100.0000',
                                 '".date("Y-m-d H:i:s")."',
                                 '".$expiredate."',
                                 '1',
                                 '1',
                                 'Y'
                                )";
mysqli_multi_query($con,$sql);

In another php file the exact same code already worked, i there copied an sql entry to another table and then deleted it from the current one.

If i do only one of the queries it works, but i need to get them to work together.

Any ideas why it is not working?

UPDATE:

I now followed the link for preventing sql injection in the comment and i got the following code now:

<?php
$mysqli = new mysqli("server", "user", "pw", "db");

// TODO - Check that connection was successful.

$unsafe_variable = $_GET['cid'];

$stmt = $mysqli->prepare("INSERT INTO coupons (coupon_id) VALUES (?)");

// TODO check that $stmt creation succeeded

// "s" means the database expects a string
$stmt->bind_param("s", $unsafe_variable);

$stmt->execute();

$stmt->close();

$mysqli->close();


mysqli_close($con);
?>

It is still not working. Where is the fault?

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Are you doing any error checking? If not, have you looked in the error logs? — Jay Blanchard, Nov 20 '15 at 13:48
Take a look at my update please. I am even wonderign a bit because the variable just can't be changed by the user. — Marcel Wasilewski, Nov 20 '15 at 15:06
You've not added any error checking, so you need to look in your error logs. My guess is that you're not connecting to your database. — Jay Blanchard, Nov 20 '15 at 15:08
IT is working without this whole injection prevention thing now... the problem is my admin user_ID is 1 and coupon_code 1 already existed... oh man. Thank you anyway — Marcel Wasilewski, Nov 20 '15 at 15:18

score 2 · Accepted Answer · answered Nov 20 '15 at 13:50

What you're currently running is the same as:

$sql = "UPDATE customers SET customers_newsletter=1 WHERE customers_id ='".$cid."' INSERT INTO coupons (coupon_id, 
                                 coupon_type, 
                                 coupon_code,
                                 coupon_amount, 
                                 coupon_minimum_order, 
                                 coupon_start_date, 
                                 coupon_expire_date, 
                                 uses_per_coupon, 
                                 uses_per_user, 
                                 coupon_active) 
                         VALUES ('".$cid."',
                                 'NL_".$cid_substr."".$cid."',
                                 'F',
                                 '5.0000',
                                 '100.0000',
                                 '".date("Y-m-d H:i:s")."',
                                 '".$expiredate."',
                                 '1',
                                 '1',
                                 'Y'
                                )";
mysqli_multi_query($con,$sql);

Which, if you notice right after the first query it starts right into the INSERT. If you ran this in anything that would give you the SQL error (or echo'd the sql error here) you'd likely see that there is a syntax error because the UPDATE query is never closed. Try adding a ; to the end of the update statement, like so:

$sql = "UPDATE customers SET customers_newsletter=1 WHERE customers_id ='".$cid."';";

jep... i already did this fault one time... damn i have to think about it next time. So now at least it is happening something, but the second sql query is not beeing made. I will have a closer look at Jay Blanchard's link in comment. Thank you. — Marcel Wasilewski, Nov 20 '15 at 13:51
@MarcelWasilewski Hey man! Happy it worked for ya! Would you mind selecting this as the answer to your initial question, and then writing up a new question for future issues you run into? Typically, on stack, the answer is relative to the first question, you don't modify the question with a new question, you only modify to add details. Hope that makes sense, be sure to link to your new question in a comment here so I can take a look! — Mikel Bitson, Nov 20 '15 at 15:20

mysqli_multi_query not doing anything

1 Answers1