[Tue, 15 Apr 2003 15:23:20 +0100] Shaun <shaun@mania.plus.com>
wrote:
> I have a form on my page that lets a user enter a query to
> the database, how
> can I ensure that the user only enters 'SELECT' statements and
> therefore
> doesn't drop the whole database or do anything else malicious?
How about trying to catch the offending word.
if
(preg_match("/\b(delete|drop|alter|insert|replace)\b/i",$querystr
ing)) {
// redirect to error message
}
else {
// execute query & display results
}
I think a better solution is to create a new user and grant that
user only the right to select against that particular database.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
