Re: Entering a query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



what other words should i be checking for apart from the obvious - INSERT,
UPDATE, DELETE, DROP.


"George Patterson" <george@visp.com.au> wrote in message
20030416120108.7a851cce.george@visp.com.au">news:20030416120108.7a851cce.george@visp.com.au...
> Shaun,
>
> I'm assuming that you text form field is named query and the form
> method is GET.
>
> Basically you would put an if statement before you execute the query..
>
> if (strtoupper(substr($_GET["query"],0,5)) <> "SELECT") {
> echo "Display error message...<br>\n";
> echo "You may only execute Select statements<br>\n";
> } else {
> mysql_query($_GET["query"]);
> }
>
>
>
> George Patterson
>
>
> On Tue, 15 Apr 2003 15:43:28 +0100
> "shaun" <shaun@mania.plus.com> wrote:
>
> > there will be a lot of people using the site so I dont want to give
> > permissions out, i was thinking more along the lines of checking the
> > string to make sure it begins with 'SELECT', is this possible?
> >
> > "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in message
> > 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC...
> > > You'd have to check out the user manual for your specific "flavor"
> > > of database and figure out how to set permissions for a given user.
> > > Once you find that, you probably want to grant something like UPDATE
> > > and SELECT privileges as a minimum, but that's your decision (and
> > > somewhat database dependent).
> > >
> > > If you're using MySQL, check out the MySQL Database Administration
> > section.
> > > It's not too difficult once you figure it out. Just remember to
> > > FLUSH PRIVILEGES when you're done (for MySQL).
> > >
> > > Hope this helps.
> > >
> > > > -----Original Message-----
> > > > From: shaun [mailto:shaun@mania.plus.com]
> > > > Sent: Tuesday, April 15, 2003 10:23 AM
> > > > To: php-db@lists.php.net
> > > > Subject:  Entering a query
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I have a form on my page that lets a user enter a query to
> > > > the database, how
> > > > can I ensure that the user only enters 'SELECT' statements
> > > > and therefore
> > > > doesn't drop the whole database or do anything else malicious?
> > > >
> > > > Thanks for your help
> > > >



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux