1st, you should limit the permissions that you have for the user doing
the update.
This user should not be able to do things like ALTER / DROP / CREATE

If you don't have a need for the DELETE command you can remove the
permissions for it to, however this does not solve all of your problems
since UPDATE can do as much harm as DELETE.

You should use ' ' around all of your variables (even integers) so that
if anyone tries some funny business with ";" it will fail. You should
also do as much data validation as you can. Make sure that you are
actually getting integers where you expect them etc...

For someone to be able to mess your DB, he needs to know your db scheme
so try to keep away from obvious field names and make it harder for that
someone to guess your table / field names.



Visit http://www.weberdev.com Today!!! 
To see where PHP might take you tomorrow.

-----Original Message-----
From: Ronald Wiplinger [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 02, 2002 4:00 AM
Subject: [PHP-DB] Security concern with web forms (update of MySQL data

A php page, which includes an update statement for a MySQL data base:

I am trying to figure out, how I can make sure that an update form on
web cannot include codes, that would update other parts of the database
worse destroy a database).



Ronald Wiplinger (Q), CEO, ELMIT - The Solution Provider
Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452
Net2Phone:8869550066, ICQ: 111651169
http://www.elmit.com            http://www.wiplinger.org

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to