Shaun,
I'm assuming that you text form field is named query and the form
method is GET.
Basically you would put an if statement before you execute the query..
if (strtoupper(substr($_GET["query"],0,5)) <> "SELECT") {
echo "Display error message...<br>\n";
echo "You may only execute Select statements<br>\n";
} else {
mysql_query($_GET["query"]);
}
George Patterson
On Tue, 15 Apr 2003 15:43:28 +0100
"shaun" <shaun@mania.plus.com> wrote:
> there will be a lot of people using the site so I dont want to give
> permissions out, i was thinking more along the lines of checking the
> string to make sure it begins with 'SELECT', is this possible?
>
> "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in message
> 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC...
> > You'd have to check out the user manual for your specific "flavor"
> > of database and figure out how to set permissions for a given user.
> > Once you find that, you probably want to grant something like UPDATE
> > and SELECT privileges as a minimum, but that's your decision (and
> > somewhat database dependent).
> >
> > If you're using MySQL, check out the MySQL Database Administration
> section.
> > It's not too difficult once you figure it out. Just remember to
> > FLUSH PRIVILEGES when you're done (for MySQL).
> >
> > Hope this helps.
> >
> > > -----Original Message-----
> > > From: shaun [mailto:shaun@mania.plus.com]
> > > Sent: Tuesday, April 15, 2003 10:23 AM
> > > To: php-db@lists.php.net
> > > Subject: Entering a query
> > >
> > >
> > > Hi,
> > >
> > > I have a form on my page that lets a user enter a query to
> > > the database, how
> > > can I ensure that the user only enters 'SELECT' statements
> > > and therefore
> > > doesn't drop the whole database or do anything else malicious?
> > >
> > > Thanks for your help
> > >
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
