Re: query checking

From: "Brent R(dot) Matzelle" <bmatzelle(at)yahoo(dot)com>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: query checking
Date: 2001-01-23 20:37:50
Message-ID: 20010123203750.21463.qmail@web313.mail.yahoo.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-php

You might also try giving the client user different rights to
the database. Only allow select, insert, and update but
disallowing any deletes. That way you won't need to build it
into your PHP code.

Brent

--- s <stefang(at)bundabergcity(dot)qld(dot)gov(dot)au> wrote:
> I am writing a site that
> does select/insert SQL commands with users input.
>
> There is a potential hazard if some one tries to execute there
> own commands in an input box
> eg. the user types into the input box on a form - [ ";
> delete *
> from table; ]
>
> I'm after a regular expression (that'd be nice) or an
> algorithm to
> tell that only one query is being passed to psql at a time.
>
> The query string will be processed if
> Either - one SELECT command only
> - one INSERT command only
> - one UPDATE command only
> ELSE - dont process query
>
> Any input would be much appreciated.
> thanks,
> stef
>

=====
"The instructions said install windows 98 or better, so I installed Linux"

http://www.matzelle.net

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/

Responses

Browse pgsql-php by date

  From Date Subject
Next Message Adam Lang 2001-01-24 14:49:41 Re: Re: query checking
Previous Message Timothy_Maguire 2001-01-23 15:42:57 using includes