RE: Entering a query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Are you looking to provide a page where the user would actually write the
query? Like providing a text box where the user would literally type in
SELECT something FROM sometable?

Hopefully somebody with more broad experience in databases will step in and
either confirm or refute this, but I'm pretty sure that almost every
database will make you connect to a specific database with a valid username
and password. MySQL's mysql_connect, odbc_connect, pg_connect, etc. handle
that for different databases. When you connect to the database, that
username/password combination - the account - has to have permission to do
things with the database or specific tables or even specific columns within
the database. With MySQL, I know you can set up an account that only has
SELECT privileges. Anytime a user wants to see what's in your database, you
connect to the database using the account on which you have set up the
SELECT privilege.

I don't know if I've explained this adequately or if I misunderstood your
original question. Hopefully, other members of the list will offer some
insight as well.

> -----Original Message-----
> From: shaun [mailto:shaun@mania.plus.com]
> Sent: Tuesday, April 15, 2003 10:43 AM
> To: php-db@lists.php.net
> Subject: Re:  Entering a query
> 
> 
> there will be a lot of people using the site so I dont want to give
> permissions out, i was thinking more along the lines of 
> checking the string
> to make sure it begins with 'SELECT', is this possible?
> 
> "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in message
> 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC...
> > You'd have to check out the user manual for your specific 
> "flavor" of
> > database and figure out how to set permissions for a given 
> user. Once you
> > find that, you probably want to grant something like UPDATE 
> and SELECT
> > privileges as a minimum, but that's your decision (and 
> somewhat database
> > dependent).
> >
> > If you're using MySQL, check out the MySQL Database Administration
> section.
> > It's not too difficult once you figure it out. Just 
> remember to FLUSH
> > PRIVILEGES when you're done (for MySQL).
> >
> > Hope this helps.
> >
> > > -----Original Message-----
> > > From: shaun [mailto:shaun@mania.plus.com]
> > > Sent: Tuesday, April 15, 2003 10:23 AM
> > > To: php-db@lists.php.net
> > > Subject:  Entering a query
> > >
> > >
> > > Hi,
> > >
> > > I have a form on my page that lets a user enter a query to
> > > the database, how
> > > can I ensure that the user only enters 'SELECT' statements
> > > and therefore
> > > doesn't drop the whole database or do anything else malicious?
> > >
> > > Thanks for your help
> > >
> > >
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> 
> 
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux