Join Up! 104882 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Templates - why and how to use them in PHP3 PHP Development: Getting Started PHP Form Validation System: An Object-Oriented Approach An Introduction to Graphs Using PEAR's Image_Graph Package PHP enabled stylesheets

php-db | 2005011

From: Frank M Flynn (frank <email protected>)
Date: 01/11/05

• Next message: Martin Norland: "Re: [PHP-DB] Update multiple records"
• Previous message: Stuart Felenstein: "Re: [PHP-DB] Update multiple records"
• Next in thread: Rich Hutchins: "RE: [PHP-DB] Complicated Question (maybe)?"
• Reply: Rich Hutchins: "RE: [PHP-DB] Complicated Question (maybe)?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Turning off 'Update' privileges in the DB will work but it's ugly.

        REVOKE UPDATE ON <your table>.<column - or - * for all> FROM <the web
user>

    http://dev.mysql.com/doc/mysql/en/GRANT.html for documentation

Now when someone tries to update this they will get an error and unless
you have different logins fro every user UPDATE will not work for
anyone over the web.

I have two other ideas, although each is more work:

-Make a second table like the first address table but add a timestamp
column, do not use auto increment (you will set the ID to the ID in the
original table). In your PHP when you do an update you will first
INSERT the original record and the current time into the new table then
allow the UPDATE to the original table. This will not break your app
but will preserve the data.

-Add a column 'vaild' to the original table and when someone tries to
update the table find the original record and set valid to 0; then
insert a new record. This may not work if you are joining off of the
ID (all related records will still point to the old record).

You could also remove of disable all the UPDATE code from your PHP
pages, no?

Good luck,
Frank

On Jan 11, 2005, at 9:39 AM, php-db-digest-help <email protected> wrote:

> From: Chris
> As long as I'm understanding you correctly, this is able to be done
> with the mysql privileges.
>
> Just create a user that isn't allowed to update that column, then use
> that user in your PHP code.
>
> The wording of your message makes it look like you're using a webform
> to specify a columnname-value combination to update int he database.
> This is inherently insecure.
>
> Chris
>
> JeRRy wrote:
>
>> Hi,
>> I want to BLOCK any possible updates from a webform or
>> php page to the address field. Or even halt any sort
>> of update/modification from mysql to that column but
>> have it possible to unblock by admin.
>>
>> Is this possible? Sure I could refuse an mysql update
>> to do this but I want to lock out everyone to ensure
>> no sneaky activity or changes are made.
>>
>> Is it possible or am I talking too much?
>>
>> J
>>
>> Find local movie times and trailers on Yahoo! Movies.
>> http://au.movies.yahoo.com
>>

• Next message: Martin Norland: "Re: [PHP-DB] Update multiple records"
• Previous message: Stuart Felenstein: "Re: [PHP-DB] Update multiple records"
• Next in thread: Rich Hutchins: "RE: [PHP-DB] Complicated Question (maybe)?"
• Reply: Rich Hutchins: "RE: [PHP-DB] Complicated Question (maybe)?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs