thankyou for your reply,
this is the solution i ended up with:
if(isset($_POST[run_query]) == true){
if (substr(strtoupper(trim($_POST[sql_query])),0,6)!="SELECT" ||
strstr(strtoupper(trim($_POST[sql_query])), 'DROP') ||
strstr(strtoupper(trim($_POST[sql_query])), 'DELETE') ||
strstr(strtoupper(trim($_POST[sql_query])), 'INSERT') ||
strstr(strtoupper(trim($_POST[sql_query])), 'ALTER') ||
strstr(strtoupper(trim($_POST[sql_query])), 'REPLACE')||
strstr(strtoupper(trim($_POST[sql_query])), 'UPDATE')) {
echo '<br><br><div align="center">Invalid query</div>';
exit;
} else if(!($result = mysql_query(stripslashes($_POST[sql_query])))){
echo '<br><br><div align="center">'.mysql_error().'</div>';
exit;
} else {
// do the query;
"Billy Chan" <bilchan@dsim.net> wrote in message
MPG.1908eecd43fac44f989683@news.php.net">news:MPG.1908eecd43fac44f989683@news.php.net...
> [Tue, 15 Apr 2003 15:23:20 +0100] Shaun <shaun@mania.plus.com>
> wrote:
> > I have a form on my page that lets a user enter a query to
> > the database, how
> > can I ensure that the user only enters 'SELECT' statements and
> > therefore
> > doesn't drop the whole database or do anything else malicious?
>
> How about trying to catch the offending word.
>
> if
> (preg_match("/\b(delete|drop|alter|insert|replace)\b/i",$querystr
> ing)) {
> // redirect to error message
> }
> else {
> // execute query & display results
> }
>
> I think a better solution is to create a new user and grant that
> user only the right to select against that particular database.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
