I suggest you limit that functionality at the database level. You should be able to make sure their accounts can only perform SELECT queries. This is much safer than attempting to detect malicious/improper SQL.
Robert Aspinall NOAA's National Ocean Service CO-OPS/Information Systems Division 1305 East-West Highway Bldg. SSMC4, Station Id 6314 Silver Spring, MD 20910 robert.aspin...@noaa.gov On Mon, Apr 16, 2012 at 9:55 AM, Vincent Veyron <vv.li...@wanadoo.fr> wrote: > Hi Group, > > I maintain a business application that uses a LAMP stack of Linux + > Apache2 + Mod_perl + Postgresql. One recurring problem I have is that > each client wants his own set of custom reports using queries from the > database. > > This is currently covered via a table in the database which holds the > query associated with the report, but that quickly leads to a > maintenance problem. > > I am thinking of creating a sort of web service, where my customers can > send a query to the server, via a VB or .NET procedure launched on the > opening of a document (.doc, .odf, other ) and I'll just serve the > dataset resulting from the query. > > My question is : > > Can I make sure that whatever query is sent to the server, it will only > be a SELECT <...> and _never_ a UPDATE or INSERT or DELETE > ? > > I can check with a regexp, but I am worried about the possibility to > encode terms of the query into something obscure enough that it'll go > through. For instance, DELETE in hexadecimal looks like this : > 44454c4554450d0a > > > > -- > Vincent Veyron > http://marica.fr/ > Logiciel de gestion des sinistres assurances et des dossiers contentieux > pour le service juridique > >
