September 28th, 2000, 08:20 PM
I would like to be able to enter at least part of a SELECT SQL statement in an HTML form and have it return the results. But for obvious reasons I would like to limit this query to SELECTs
I am thinking that I will prepend a "SELECT " to the form data and strip out all semi-colons
are commands that are available in a mysql client available in mysql_query()? (i.e. c -- clear, q -- quit, etc.)
Is there anything else that I should be aware of that would allow a user to execute anything but a SELECT query?
[This message has been edited by RyanP (edited September 28, 2000).]
September 28th, 2000, 09:32 PM
I don't know how relevant this would be, but in the MySQL client commands can end with a semi-colon or g, so you might want to catch that too.
September 28th, 2000, 09:55 PM
i have a feeling that mysql client commands are not available in mysql_query() , but i just wanted to make sure
September 29th, 2000, 01:19 AM
I am thinking about doing the same thing. I think your plan to prepend the "SELECT" to the form data is a good idea, but what happen if the user make a mistake in their select statement? How do you deal with that? What I meant is, how do you prevent the browser from display the stupid "Internal Server Error" message and display a nicer message that let the user know that their is something wrong with their statement.