I would like to allow some admins to manually enter SQL statements in a textfield (to get statistic data etc.). On the database layer, I protected the data by creating a user which can only select but not update/delete etc.
I would like to add a second security by checking the inserted SQL for bad words such as DROP, DELETE or UPDATE. I figured out how to do that with preg_match but I would love to have a smart script which can distiguish between a DROP and something like WHERE name = 'DROP 1'
EDIT: I would like to log if an admin tries to uses such statements. That’s why I need this second level security check. This is for clarification.
Does anyone know a code snipped which fits this example?
Thanks!!
I wouldn’t use regular expressions for something as complex as SQL.
I’d start by looking at what SQL parsers are available for PHP, then use one of those to parse and analyze the SQL statements being used.
Try one of these:
http://pear.php.net/package/SQL_Parser
http://sourceforge.net/projects/osqlp/