Sorry, one correction: The "mysql_connect, odbc_connect, pg_connect, etc." functions are PHP functions, not MySQL functions. Ugh. > -----Original Message----- > From: Hutchins, Richard [mailto:Richard.Hutchins@Getingeusa.com] > Sent: Tuesday, April 15, 2003 10:55 AM > To: php-db@lists.php.net > Subject: RE: Entering a query > > > Are you looking to provide a page where the user would > actually write the > query? Like providing a text box where the user would > literally type in > SELECT something FROM sometable? > > Hopefully somebody with more broad experience in databases > will step in and > either confirm or refute this, but I'm pretty sure that almost every > database will make you connect to a specific database with a > valid username > and password. MySQL's mysql_connect, odbc_connect, > pg_connect, etc. handle > that for different databases. When you connect to the database, that > username/password combination - the account - has to have > permission to do > things with the database or specific tables or even specific > columns within > the database. With MySQL, I know you can set up an account > that only has > SELECT privileges. Anytime a user wants to see what's in your > database, you > connect to the database using the account on which you have set up the > SELECT privilege. > > I don't know if I've explained this adequately or if I > misunderstood your > original question. Hopefully, other members of the list will > offer some > insight as well. > > > -----Original Message----- > > From: shaun [mailto:shaun@mania.plus.com] > > Sent: Tuesday, April 15, 2003 10:43 AM > > To: php-db@lists.php.net > > Subject: Re: Entering a query > > > > > > there will be a lot of people using the site so I dont want to give > > permissions out, i was thinking more along the lines of > > checking the string > > to make sure it begins with 'SELECT', is this possible? > > > > "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote > in message > > 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC... > > > You'd have to check out the user manual for your specific > > "flavor" of > > > database and figure out how to set permissions for a given > > user. Once you > > > find that, you probably want to grant something like UPDATE > > and SELECT > > > privileges as a minimum, but that's your decision (and > > somewhat database > > > dependent). > > > > > > If you're using MySQL, check out the MySQL Database Administration > > section. > > > It's not too difficult once you figure it out. Just > > remember to FLUSH > > > PRIVILEGES when you're done (for MySQL). > > > > > > Hope this helps. > > > > > > > -----Original Message----- > > > > From: shaun [mailto:shaun@mania.plus.com] > > > > Sent: Tuesday, April 15, 2003 10:23 AM > > > > To: php-db@lists.php.net > > > > Subject: Entering a query > > > > > > > > > > > > Hi, > > > > > > > > I have a form on my page that lets a user enter a query to > > > > the database, how > > > > can I ensure that the user only enters 'SELECT' statements > > > > and therefore > > > > doesn't drop the whole database or do anything else malicious? > > > > > > > > Thanks for your help > > > > > > > > > > > > > > > > -- > > > > PHP Database Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
