Page 1 of 1

filtering manual sql query

Posted: Fri Oct 03, 2003 2:37 am
by yaron
Hello all,
I have a script that allows the user to execute sql queries as he pleases.
I want to allow only 'SELECT' queries and not DELETE,ALTER,DROP,UPDATE and any changes on the db.
Does anybody have an idea besids using strstr or preg_match and looking for suspicious words?

?>[/b][/i]

Posted: Fri Oct 03, 2003 3:18 am
by volka
use an account on the sql-server that only allows SELECT-querries

Posted: Fri Oct 03, 2003 4:12 am
by JAM
As volka sais, using a different login than the 'regular' on you are using is the best/safest idea. Lookup GRANT in the mysql doc's.

As sidenote, if your host does not support adding users (min doesn't) you perhaps could manage with strstr()

Code: Select all

$bad = array('delete','update');
$sql = "select field for table";
foreach ($bad as $key => $val) {
 if (strstr($sql,$val)) { echo 'Found '.$val; }
}
Not tested if I wrote correct, or even if this is something worth using, but its ideas.