filtering manual sql query

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
yaron
Forum Contributor
Posts: 157
Joined: Fri Aug 22, 2003 8:40 am

filtering manual sql query

Post by yaron »

Hello all,
I have a script that allows the user to execute sql queries as he pleases.
I want to allow only 'SELECT' queries and not DELETE,ALTER,DROP,UPDATE and any changes on the db.
Does anybody have an idea besids using strstr or preg_match and looking for suspicious words?

?>[/b][/i]
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

use an account on the sql-server that only allows SELECT-querries
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

As volka sais, using a different login than the 'regular' on you are using is the best/safest idea. Lookup GRANT in the mysql doc's.

As sidenote, if your host does not support adding users (min doesn't) you perhaps could manage with strstr()

Code: Select all

$bad = array('delete','update');
$sql = "select field for table";
foreach ($bad as $key => $val) {
 if (strstr($sql,$val)) { echo 'Found '.$val; }
}
Not tested if I wrote correct, or even if this is something worth using, but its ideas.
Post Reply