1st, you should limit the permissions that you have for the user doing
This user should not be able to do things like ALTER / DROP / CREATE
If you don't have a need for the DELETE command you can remove the
permissions for it to, however this does not solve all of your problems
since UPDATE can do as much harm as DELETE.
You should use ' ' around all of your variables (even integers) so that
if anyone tries some funny business with ";" it will fail. You should
also do as much data validation as you can. Make sure that you are
actually getting integers where you expect them etc...
For someone to be able to mess your DB, he needs to know your db scheme
so try to keep away from obvious field names and make it harder for that
someone to guess your table / field names.
Visit http://www.weberdev.com Today!!!
To see where PHP might take you tomorrow.
From: Ronald Wiplinger [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 02, 2002 4:00 AM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Security concern with web forms (update of MySQL data
A php page, which includes an update statement for a MySQL data base:
I am trying to figure out, how I can make sure that an update form on
web cannot include codes, that would update other parts of the database
worse destroy a database).
Ronald Wiplinger (ÃQ¤¯¯Ç), CEO, ELMIT - The Solution Provider
Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452
Net2Phone:8869550066, ICQ: 111651169
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php