Hello all,
I have a script that allows the user to execute sql queries as he pleases.
I want to allow only 'SELECT' queries and not DELETE,ALTER,DROP,UPDATE and any changes on the db.
Does anybody have an idea besids using strstr or preg_match and looking for suspicious words?
?>[/b][/i]
filtering manual sql query
Moderator: General Moderators
As volka sais, using a different login than the 'regular' on you are using is the best/safest idea. Lookup GRANT in the mysql doc's.
As sidenote, if your host does not support adding users (min doesn't) you perhaps could manage with strstr()
Not tested if I wrote correct, or even if this is something worth using, but its ideas.
As sidenote, if your host does not support adding users (min doesn't) you perhaps could manage with strstr()
Code: Select all
$bad = array('delete','update');
$sql = "select field for table";
foreach ($bad as $key => $val) {
if (strstr($sql,$val)) { echo 'Found '.$val; }
}