Shaun, the code I gave below will only allow a select statement to occur.. It could be easies to explicitly allow only what you require. George On Wed, 16 Apr 2003 10:25:46 +0100 "shaun" <shaun@mania.plus.com> wrote: > what other words should i be checking for apart from the obvious - > INSERT, UPDATE, DELETE, DROP. > > > "George Patterson" <george@visp.com.au> wrote in message > 20030416120108.7a851cce.george@visp.com.au">news:20030416120108.7a851cce.george@visp.com.au... > > Shaun, > > > > I'm assuming that you text form field is named query and the form > > method is GET. > > > > Basically you would put an if statement before you execute the > > query.. > > > > if (strtoupper(substr($_GET["query"],0,5)) <> "SELECT") { > > echo "Display error message...<br>\n"; > > echo "You may only execute Select statements<br>\n"; > > } else { > > mysql_query($_GET["query"]); > > } > > > > > > > > George Patterson > > > > > > On Tue, 15 Apr 2003 15:43:28 +0100 > > "shaun" <shaun@mania.plus.com> wrote: > > > > > there will be a lot of people using the site so I dont want to > > > give permissions out, i was thinking more along the lines of > > > checking the string to make sure it begins with 'SELECT', is this > > > possible? > > > > > > "Richard Hutchins" <Richard.Hutchins@Getingeusa.com> wrote in > > > message 1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC">news:1EA7D3AE70ACD511BE6D006097A78C1E033C8C57@USROCEXC... > > > > You'd have to check out the user manual for your specific > > > > "flavor" of database and figure out how to set permissions for a > > > > given user. Once you find that, you probably want to grant > > > > something like UPDATE and SELECT privileges as a minimum, but > > > > that's your decision (and somewhat database dependent). > > > > > > > > If you're using MySQL, check out the MySQL Database > > > > Administration > > > section. > > > > It's not too difficult once you figure it out. Just remember to > > > > FLUSH PRIVILEGES when you're done (for MySQL). > > > > > > > > Hope this helps. > > > > > > > > > -----Original Message----- > > > > > From: shaun [mailto:shaun@mania.plus.com] > > > > > Sent: Tuesday, April 15, 2003 10:23 AM > > > > > To: php-db@lists.php.net > > > > > Subject: Entering a query > > > > > > > > > > > > > > > Hi, > > > > > > > > > > I have a form on my page that lets a user enter a query to > > > > > the database, how > > > > > can I ensure that the user only enters 'SELECT' statements > > > > > and therefore > > > > > doesn't drop the whole database or do anything else malicious? > > > > > > > > > > Thanks for your help > > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
