I think Richard offered the best solution, but another option is to simply
have users input everything *after* SELECT, as in:
FROM [database] WHERE [parameter]
You can setup the form such that the label on the left reads "SELECT," thus
notifying users right away that select statements are all they can perform.
If they try to enter something like
DROP [database]...
The submitted statement would be SELECT DROP... and would return an error.
The solution is not nearly as eloquent as Richard's, but it works
Edward Dudlik
Becoming Digital
www.becomingdigital.com
----- Original Message -----
From: "Hutchins, Richard" <Richard.Hutchins@Getingeusa.com>
To: <php-db@lists.php.net>
Sent: Tuesday, 15 April 2003 10:29
Subject: RE: Entering a query
You'd have to check out the user manual for your specific "flavor" of
database and figure out how to set permissions for a given user. Once you
find that, you probably want to grant something like UPDATE and SELECT
privileges as a minimum, but that's your decision (and somewhat database
dependent).
If you're using MySQL, check out the MySQL Database Administration section.
It's not too difficult once you figure it out. Just remember to FLUSH
PRIVILEGES when you're done (for MySQL).
Hope this helps.
> -----Original Message-----
> From: shaun [mailto:shaun@mania.plus.com]
> Sent: Tuesday, April 15, 2003 10:23 AM
> To: php-db@lists.php.net
> Subject: Entering a query
>
>
> Hi,
>
> I have a form on my page that lets a user enter a query to
> the database, how
> can I ensure that the user only enters 'SELECT' statements
> and therefore
> doesn't drop the whole database or do anything else malicious?
>
> Thanks for your help
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
