| From: | Timothy_Maguire(at)hartehanks(dot)com |
|---|---|
| To: | s <stefang(at)bundabergcity(dot)qld(dot)gov(dot)au> |
| Cc: | pgsql-php(at)postgresql(dot)org |
| Subject: | Re: query checking |
| Date: | 2001-01-22 14:45:40 |
| Message-ID: | 852569DC.0051195F.00@linmail.hartehanks.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
You can try using the ereg() or eregi() functions and check for what the user
inputed. For example:
if (eregi("delete", $query)
{
echo " you can not delete from table";
}
elseif ( (eregi("select", $query) || (eregi("update", $query) ||
(eregi("insert", $query) )
{
execute $query;.....
}
Hope this helps.
Tim.
s <stefang(at)bundabergcity(dot)qld(dot)gov(dot)au> on 01/21/2001 07:44:20 PM
To: pgsql-php(at)postgresql(dot)org
cc: (bcc: Timothy Maguire/Data-Technologies/Harte-Hanks)
Subject: query checking
I am writing a site that
does select/insert SQL commands with users input.
There is a potential hazard if some one tries to execute there
own commands in an input box
eg. the user types into the input box on a form - [ "; delete *
from table; ]
I'm after a regular expression (that'd be nice) or an algorithm to
tell that only one query is being passed to psql at a time.
The query string will be processed if
Either - one SELECT command only
- one INSERT command only
- one UPDATE command only
ELSE - dont process query
Any input would be much appreciated.
thanks,
stef
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Joseph McGee | 2001-01-22 15:32:55 | Saving Images |
| Previous Message | Chris Ryan | 2001-01-22 13:44:55 | Re: query checking |