Skip to content
Advertisement

What is the bad in running multiple commands in the same query

I am using Sql-Server and Postgresql, usually when I need to run multiple commands, I open a new connection, and foreach needed query task I run a command (inserting 1000 rows, for example).

Is it bad if I run multiple query commands in a single command(queries separated by comma) vs previous behavior?

Advertisement

Answer

Running multiple commands inside a single call (and being able to do it) makes you extremely vulnerable to SQL injections. Any query, even a simple SELECT, becomes dangerous if somebody can append an UPDATE or DELETE statement afterwards. That’s why many implementations (especially from PHP) simply inhibit the ability of submitting nested queries.

On the other hand, as far as I know, there’s almost no valid reason to do so. One usually maintains the connection open, then the overhead implied by the call itself is negligible.

If what you seek is actually atomicity, then you want to try “transactions” instead ;

If you worried about the complexity of your queries and don’t want to make them be re-parsed at each time, you may take a look to “prepared statements” and stored procedures (or “functions” if you’re using a recent version of PostGreSQL).

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement