A quick suggestion would be to build your query normally and then don't run
the query if it has a semicolon that isn't inside quotes.  Also, use single
quotes in the update to make your checks easier:

UPDATE table_name SET field1='value1'

-----Original Message-----
From: Ronald Wiplinger
To: [EMAIL PROTECTED]
Sent: 3/1/02 6:00 PM
Subject: [PHP-DB] Security concern with web forms (update of MySQL data
base)


A php page, which includes an update statement for a MySQL data base:

I am trying to figure out, how I can make sure that an update form on
the 
web cannot include codes, that would update other parts of the database
(or 
worse destroy a database).

bye

Ronald




Ronald Wiplinger (ÃQ¤¯¯Ç), CEO, ELMIT - The Solution Provider
Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452
Net2Phone:8869550066, ICQ: 111651169
http://www.elmit.com            http://www.wiplinger.org

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to