I can try to answer these to the best of my abilities
1. Multiple queries are not supported means just as is says, you can't have more than one query in that single function. MySQL Injection implies that a
piece of a query is inserted, not an entire one. Just inserting a little piece can hack the whole query.
2. If you're really worried about SQL Injection, then I would recommend widening your focus. PHP has a couple functions to help but you can still use IF statements to check for particular, common ways of injection.
3. mysql_fetch_array() and mysql_fetch_assoc() only fetch an executed query. Your question here didn't really make any sense so maybe you didn't realize this? For example, a common use of these functions would look like this:
PHP Code:
$query = mysql_query("SELECT * FROM dual");
while($row = mysql_fetch_assoc($query)) {
/*statements */
}
4. Anything you can do in a stored procedure again you could do with PHP. Stored Procedures should be used more for extensive SQL statements that return a wider set of results.
Overall, MySQL Injection is mainly a threat where part of the SQL statement is dependent on a variable that maybe the user inputs. For example, when validating a user who logs in, a SQL statement would check for a username in the database to match the one supplied, but if they enter a tidbit from a SQL WHERE clause, it could completely change the statement.
PHP Code:
$query = "SELECT * FROM user_tables WHERE u_name='$input' LIMIT 1";
/* given input is: test' OR 'x'='x */
$query = "SELECT * FROM user_tables WHERE u_name='test' OR 'x'='x' LIMIT 1"
Obviously, that second query would always be true and return a false positive. Hope that helps!
