• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Allow SQL queries but not anything harmful

Drakkon

Drakkon

Diamond Member
Is there anyway to let a user submit full SELECT statements to a mysql database without allowing anything harmful to come up (such as lists of all table names, changing passwords, etc)?
I've thought of checking for more than one semicolon, only allowing SELECT (not update, create, etc). not allowing more than 1 WHERE, not allowing more than 1 FROM. Is there something out there that will kinda filter an SQL query for this sorta stuff and make it safe?
 
You can also be creative at the interface, for example by allowing the user to select choices in a series of lists rather than accepting typed queries.
 
Originally posted by: Markbnj
You can also be creative at the interface, for example by allowing the user to select choices in a series of lists rather than accepting typed queries.
Click to expand...

The interface is just a flash program that is used to show the database - its a freshman level training course for DBA's. The intention is to teach them how to type in simple SQL statements and see the results they get back (in a tabular format). So they need to type the FULL SQL query then have it submit to the database.
 
I am not sure about how permissions/roles are setup in MySQL, but SQL Server allows object level permissions for everything and has built in user roles that allow only SELECTs - an attempt to insert/drop/update will raise an exception. Can't you do something similar?
 
Originally posted by: Dhaval00
I am not sure about how permissions/roles are setup in MySQL, but SQL Server allows object level permissions for everything and has built in user roles that allow only SELECTs - an attempt to insert/drop/update will raise an exception. Can't you do something similar?
Click to expand...
I assume most injection attacks are INSERT/UPDATE/CREATE driven so that might work...thanks

 
Originally posted by: Drakkon
Originally posted by: Dhaval00
I am not sure about how permissions/roles are setup in MySQL, but SQL Server allows object level permissions for everything and has built in user roles that allow only SELECTs - an attempt to insert/drop/update will raise an exception. Can't you do something similar?
Click to expand...
I assume most injection attacks are INSERT/UPDATE/CREATE driven so that might work...thanks
Click to expand...

Were you being sarcastic or really thanking? LOL. So much for e-communications.
 
haha - yes i was honestly thanking - seemed like a good solution to my problem as mysql does have roles. I just have to make sure the person who sets up the DB knows to restrict the account accessing this one page i guess.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top