Yes I'd go with what Richard said, all you need to do is set up 1 user for the db with SELECT privileges and use that for the connection on the page that the user will enter their own query, you dont need to give everyone who uses the website a database password as its not them thats connecting to the db but the php script, so just the one account is needed. You can do some checking of the string entered as well to be extra sure or replace it with SELECT even (check out the string functions in php manual) but this on its own is not enough and could easily be worked around by someone with a little knowlage. hope this helps -----Original Message----- From: Hutchins, Richard [mailto:Richard.Hutchins@Getingeusa.com] Sent: 15 April 2003 15:55 To: php-db@lists.php.net Subject: RE: Entering a query Are you looking to provide a page where the user would actually write the query? Like providing a text box where the user would literally type in SELECT something FROM sometable? Hopefully somebody with more broad experience in databases will step in and either confirm or refute this, but I'm pretty sure that almost every database will make you connect to a specific database with a valid username and password. MySQL's mysql_connect, odbc_connect, pg_connect, etc. handle that for different databases. When you connect to the database, that username/password combination - the account - has to have permission to do things with the database or specific tables or even specific columns within the database. With MySQL, I know you can set up an account that only has SELECT privileges. Anytime a user wants to see what's in your database, you connect to the database using the account on which you have set up the SELECT privilege. I don't know if I've explained this adequately or if I misunderstood your original question. Hopefully, other members of the list will offer some insight as well. > -----Original Message----- > From: shaun [mailto:shaun@mania.plus.com] > Sent: Tuesday, April 15, 2003 10:43 AM > To: php-db@lists.php.net > Subject: Re: Entering a query > > > there will be a lot of people using the site so I dont want to give > permissions out, i was thinking more along the lines of > checking the string > to make sure it begins with 'SELECT', is this possible? > > "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in message > 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC... > > You'd have to check out the user manual for your specific > "flavor" of > > database and figure out how to set permissions for a given > user. Once you > > find that, you probably want to grant something like UPDATE > and SELECT > > privileges as a minimum, but that's your decision (and > somewhat database > > dependent). > > > > If you're using MySQL, check out the MySQL Database Administration > section. > > It's not too difficult once you figure it out. Just > remember to FLUSH > > PRIVILEGES when you're done (for MySQL). > > > > Hope this helps. > > > > > -----Original Message----- > > > From: shaun [mailto:shaun@mania.plus.com] > > > Sent: Tuesday, April 15, 2003 10:23 AM > > > To: php-db@lists.php.net > > > Subject: Entering a query > > > > > > > > > Hi, > > > > > > I have a form on my page that lets a user enter a query to > > > the database, how > > > can I ensure that the user only enters 'SELECT' statements > > > and therefore > > > doesn't drop the whole database or do anything else malicious? > > > > > > Thanks for your help > > > > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php