Re: Complicated Question (maybe)?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Turning off 'Update' privileges in the DB will work but it's ugly.

REVOKE UPDATE ON <your table>.<column - or - * for all> FROM <the web user>

   http://dev.mysql.com/doc/mysql/en/GRANT.html for documentation

Now when someone tries to update this they will get an error and unless you have different logins fro every user UPDATE will not work for anyone over the web.

I  have two other ideas, although each is more work:

-Make a second table like the first address table but add a timestamp column, do not use auto increment (you will set the ID to the ID in the original table). In your PHP when you do an update you will first INSERT the original record and the current time into the new table then allow the UPDATE to the original table. This will not break your app but will preserve the data.

-Add a column 'vaild' to the original table and when someone tries to update the table find the original record and set valid to 0; then insert a new record. This may not work if you are joining off of the ID (all related records will still point to the old record).

You could also remove of disable all the UPDATE code from your PHP pages, no?

Good luck,
Frank

On Jan 11, 2005, at 9:39 AM, php-db-digest-help@xxxxxxxxxxxxx wrote:

From: Chris
As long as I'm understanding you correctly, this is able to be done with the mysql privileges.

Just create a user that isn't allowed to update that column, then use that user in your PHP code.

The wording of your message makes it look like you're using a webform to specify a columnname-value combination to update int he database. This is inherently insecure.

Chris

JeRRy wrote:

Hi,
I want to BLOCK any possible updates from a webform or
php page to the address field.  Or even halt any sort
of update/modification from mysql to that column but
have it possible to unblock by admin.

Is this possible?  Sure I could refuse an mysql update
to do this but I want to lock out everyone to ensure
no sneaky activity or changes are made.

Is it possible or am I talking too much?

J

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux