Answer the question
In order to leave comments, you need to log in
How to restrict arbitrary mysql query to only SELECT command?
The task is to give users the opportunity to write a full-fledged mysql query for a selection, but at the same time limit any modification commands.
What is the best way to do this? Maybe someone met php libraries that would parse the query and restrict only SELECT?
Thank you!
update: delimitation by accesses, unfortunately, is not possible in this case.
Answer the question
In order to leave comments, you need to log in
make a grammar parser and run queries through it option?
Ready-made grammars (even for mysql) are available, for example, here www.antlr.org/grammar/list . Yes, and you can write it yourself based on the requirements ... Regexps here, IMHO, are a thankless task ...
Why not create a user in mysql and give him privileges only on SELECT ?!
It won't help.
There is, for example, a " SELECT source INTO destination " query that creates a new table or inserts data into an existing one.
It also happens that several requests are separated by commas - “select ...; delete”
But in principle, IMHO, it is quite possible to write code that will validate the request.
Hm. in general
dev.mysql.com/doc/refman/5.0/en/ansi-diff-select-into-table.html
SELECT source INTO destination is not supported.
IMHO check with regexp that the request starts as "\A*select", configure the API to not allow multiple statements through ';'
Although here you need to do more research and make sure that it is safe.
Why not write a regular expression that, when INSERT, UPDATE, DELETE, TRUNCATE, ALTER, INTO, SET, VALUES, will swear?
Grant for selection, of course, is the most adequate solution.
As a forced measure, you can try to analyze the entered query and, based on the result, pass or not pass it to the DBMS.
But I would suggest the reverse procedure: construct a query from the available data entered in any convenient way, including parsing the original query. The main thing is to transfer to the DBMS not data entered from outside, but a specially generated request, in which there are guaranteed to be no “wrong” constructions. And if there are any in the original request, throw an error.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question