Even safer if yuo don't let users type in actual SQL at all.
Have a set of check boxes so they can pick which type of query they
want.(update, delete, select, etc.) Have them fill in fields and have them
fill in tables. Then, in your php code, construct the sql code yourself,
while checking the fields for ilelgal characters like ";"
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Brent R. Matzelle" <bmatzelle@yahoo.com>
To: <pgsql-php@postgresql.org>
Sent: Tuesday, January 23, 2001 3:37 PM
Subject: [PHP] Re: query checking
> You might also try giving the client user different rights to
> the database. Only allow select, insert, and update but
> disallowing any deletes. That way you won't need to build it
> into your PHP code.
>
> Brent
>
> --- s <stefang@bundabergcity.qld.gov.au> wrote:
> > I am writing a site that
> > does select/insert SQL commands with users input.
> >
> > There is a potential hazard if some one tries to execute there
> > own commands in an input box
> > eg. the user types into the input box on a form - [ ";
> > delete *
> > from table; ]
> >
> > I'm after a regular expression (that'd be nice) or an
> > algorithm to
> > tell that only one query is being passed to psql at a time.
> >
> > The query string will be processed if
> > Either - one SELECT command only
> > - one INSERT command only
> > - one UPDATE command only
> > ELSE - dont process query
> >
> > Any input would be much appreciated.
> > thanks,
> > stef
> >
>
>
> =====
> "The instructions said install windows 98 or better, so I installed Linux"
>
> http://www.matzelle.net
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - Buy the things you want at great prices.
> http://auctions.yahoo.com/