what other words should i be checking for apart from the obvious - INSERT, UPDATE, DELETE, DROP. "George Patterson" <george@visp.com.au> wrote in message 20030416120108.7a851cce.george@visp.com.au">news:20030416120108.7a851cce.george@visp.com.au... > Shaun, > > I'm assuming that you text form field is named query and the form > method is GET. > > Basically you would put an if statement before you execute the query.. > > if (strtoupper(substr($_GET["query"],0,5)) <> "SELECT") { > echo "Display error message...<br>\n"; > echo "You may only execute Select statements<br>\n"; > } else { > mysql_query($_GET["query"]); > } > > > > George Patterson > > > On Tue, 15 Apr 2003 15:43:28 +0100 > "shaun" <shaun@mania.plus.com> wrote: > > > there will be a lot of people using the site so I dont want to give > > permissions out, i was thinking more along the lines of checking the > > string to make sure it begins with 'SELECT', is this possible? > > > > "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in message > > 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC... > > > You'd have to check out the user manual for your specific "flavor" > > > of database and figure out how to set permissions for a given user. > > > Once you find that, you probably want to grant something like UPDATE > > > and SELECT privileges as a minimum, but that's your decision (and > > > somewhat database dependent). > > > > > > If you're using MySQL, check out the MySQL Database Administration > > section. > > > It's not too difficult once you figure it out. Just remember to > > > FLUSH PRIVILEGES when you're done (for MySQL). > > > > > > Hope this helps. > > > > > > > -----Original Message----- > > > > From: shaun [mailto:shaun@mania.plus.com] > > > > Sent: Tuesday, April 15, 2003 10:23 AM > > > > To: php-db@lists.php.net > > > > Subject: Entering a query > > > > > > > > > > > > Hi, > > > > > > > > I have a form on my page that lets a user enter a query to > > > > the database, how > > > > can I ensure that the user only enters 'SELECT' statements > > > > and therefore > > > > doesn't drop the whole database or do anything else malicious? > > > > > > > > Thanks for your help > > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
