Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
2
I am writing a management script that goes over a number of queries and organizes them by runtime, with input options via form or
already-existing query storage tables.
However, on my form I'd like to double-check that the string entered is actually an SQL statement - is there any way to do that,
IE.. prevent simple strings from getting input into the database. What is the best way to do that?
4 replies to this topic
Back to top|
|
|
#2
Posted 22 February 2012 - 10:41 AM
RHochstenbach
-
- Members
-
- 56 posts
Learning Programmer
If your database tables are in the innoDB format, you can do the following:
// Put the query in the variable
$query = $_POST['query'];
// Execute the query, store the result in a variable and then undo it.
mysql_query("START TRANSACTION;");
$check = mysql_query($query);
mysql_query("ROLLBACK;");
// If the query was successful, repeat it for real this time
if($check === true) {
mysql_query($query);
} else {
echo "Not a valid query!";
}
The above is a theory though, so give it a try and please come back with the results :)
#3
Posted 22 February 2012 - 03:31 PM
Orjan
-
- Moderators
-
- 3,299 posts
Writes binary right handed and hex left handed
- Location:Karlstad, Sweden
- Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
- Learning:Java, C#
If you want to use transactions like that, you might need to turn autocommit off to be able to roll back properly.
__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall
I study Information Systems at Karlstad University when I'm not on CodeCall
#4
Posted 23 February 2012 - 12:38 AM
RHochstenbach
-
- Members
-
- 56 posts
Learning Programmer
Orjan said:
If you want to use transactions like that, you might need to turn autocommit off to be able to roll back properly.
In that case it would be something like this:
mysql_query("SET autocommit = 0;");
// Put the query in the variable
$query = $_POST['query'];
// Execute the query, store the result in a variable and then undo it.
mysql_query("START TRANSACTION;");
$check = mysql_query($query);
mysql_query("ROLLBACK;");
// If the query was successful, repeat it for real this time
if($check === true) {
mysql_query($query);
} else {
echo "Not a valid query!";
}
#5
Posted 24 February 2012 - 08:01 AM
Orjan
-
- Moderators
-
- 3,299 posts
Writes binary right handed and hex left handed
- Location:Karlstad, Sweden
- Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
- Learning:Java, C#
But, on the other hand, such a function is so vulnerable. I would probably let a user build their SQL statemens with dropboxes and stuff so they can't do any harm. with that, someone could easily do a drop database command, and then ... well, I think you get the point.
__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall
I study Information Systems at Karlstad University when I'm not on CodeCall
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
