I have set up a SQL query with PERL in a text box. There are hundreds of combinations of queries. This is for advanced users so this will work. My worry is to stop them form using the Delete function. Any thoughts on how to stop them from deleting?
Birdman
2:00 pm on Apr 29, 2003 (gmt 0)
Parse the users query for the string "delete" and any other harmful commands before sending it to the db.
ShawnR
2:23 pm on Apr 29, 2003 (gmt 0)
Makes me feel uncomfortable. Its not just delete you need to worry about, it is any 'write' command (insert, append, drop, update, etc). Can you open the db R/O for the queries that you get in from the form? e.g. connect with a username with ro privilages. Alternatively, parse the query as Birdman suggests, but I'd be more comfortable if you excluded everything except those asfe ones (which may just be 'select'), rather than include everything except the commands you are concerned about.
Shawn
Maine Copper
2:27 pm on Apr 29, 2003 (gmt 0)
Actually we want them to append update insert etc... this is on an intranet with other security features. only people in there are ones supposed to be and know what they are doing. We just don't want to have them able to delete a certain section.
Maine Copper
2:33 pm on Apr 29, 2003 (gmt 0)
worked thank you
daisho
2:35 pm on Apr 29, 2003 (gmt 0)
Use a seperate username. Turn off everything and add previleges as needed. Must more secure going at that angle rather than granting everything and then taking away certain things.
