1st, you should limit the permissions that you have for the user doing the update. This user should not be able to do things like ALTER / DROP / CREATE etc...
If you don't have a need for the DELETE command you can remove the permissions for it to, however this does not solve all of your problems since UPDATE can do as much harm as DELETE. You should use ' ' around all of your variables (even integers) so that if anyone tries some funny business with ";" it will fail. You should also do as much data validation as you can. Make sure that you are actually getting integers where you expect them etc... For someone to be able to mess your DB, he needs to know your db scheme so try to keep away from obvious field names and make it harder for that someone to guess your table / field names. Sincerely berber Visit http://www.weberdev.com Today!!! To see where PHP might take you tomorrow. -----Original Message----- From: Ronald Wiplinger [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 02, 2002 4:00 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Security concern with web forms (update of MySQL data base) A php page, which includes an update statement for a MySQL data base: I am trying to figure out, how I can make sure that an update form on the web cannot include codes, that would update other parts of the database (or worse destroy a database). bye Ronald Ronald Wiplinger (ÃQ¤¯¯Ç), CEO, ELMIT - The Solution Provider Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452 Net2Phone:8869550066, ICQ: 111651169 http://www.elmit.com http://www.wiplinger.org -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php