1st, you should limit the permissions that you have for the user doing
the update.
This user should not be able to do things like ALTER / DROP / CREATE
etc...

If you don't have a need for the DELETE command you can remove the
permissions for it to, however this does not solve all of your problems
since UPDATE can do as much harm as DELETE.

You should use ' ' around all of your variables (even integers) so that
if anyone tries some funny business with ";" it will fail. You should
also do as much data validation as you can. Make sure that you are
actually getting integers where you expect them etc...

For someone to be able to mess your DB, he needs to know your db scheme
so try to keep away from obvious field names and make it harder for that
someone to guess your table / field names.

Sincerely

      berber

Visit http://www.weberdev.com Today!!! 
To see where PHP might take you tomorrow.





-----Original Message-----
From: Ronald Wiplinger [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 02, 2002 4:00 AM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Security concern with web forms (update of MySQL data
base)



A php page, which includes an update statement for a MySQL data base:

I am trying to figure out, how I can make sure that an update form on
the 
web cannot include codes, that would update other parts of the database
(or 
worse destroy a database).

bye

Ronald




Ronald Wiplinger (Q), CEO, ELMIT - The Solution Provider
Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452
Net2Phone:8869550066, ICQ: 111651169
http://www.elmit.com            http://www.wiplinger.org

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to