On Fri, 17 Aug 2001, Mysql Mailing List wrote:
> If he sends in "select * from table", we would like the mysql actaully
> execute "select * from table where hisID=1000";
>
> Basically, we want mysql database to screen the query sent from a certain
> user, and apply some conditions on that query.
>
> Is it possible to do it? Is there a better way to do it?
As far as I know, the permissions control system of MySQL can only
restrict operations at the table level, not the row level. Someone correct
me if I'm wrong.
I think you would have to write a middleware layer that accepts queries
directly from the user, then modifies the queries so that they only affect
the rows that they should.
If you do this, you have to be very careful in parsing the queries. For
example, what if you provide a function to him that executes this query:
SELECT ___ WHERE hisID=1000 AND ___
and let him fill in the ___. Guess what, that's not secure at all! He
could do:
SELECT * FROM table WHERE hisID=1000 AND 1 OR 1
and he's bypassed your security check. You'll have to think about this
carefully if you try to do this.
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
