| From: | "David Wilson" <david(dot)t(dot)wilson(at)gmail(dot)com> |
|---|---|
| To: | "Webb Sprague" <webb(dot)sprague(at)gmail(dot)com> |
| Cc: | "Steve Atkins" <steve(at)blighty(dot)com>, "pgsql General" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Semi-customized queries? Subset of SQL? Accessing the parser? Injection? |
| Date: | 2008-11-04 19:31:54 |
| Message-ID: | e7f9235d0811041131q58a152c8yc9e666b593ea2ce1@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Nov 4, 2008 at 2:12 PM, Webb Sprague <webb(dot)sprague(at)gmail(dot)com> wrote:
> Can't do that. (Or I wouldn't have asked the question.) Need a WWW
> interface, period.
A WWW interface doesn't preclude the suggestion of simply relying on
permissions to maintain safety and providing what amounts to a query
command line; I've got that exact thing in php for one of my DBs. The
user can't make db changes, and just from paranoia I check the query
for certain bad keywords (delete, insert, into, update, drop, create,
alter, etc) before passing it on. On return, some simple php functions
create a table with the appropriate column names and such.
It's surely the simplest solution, and it definitely will work.
--
- David T. Wilson
david(dot)t(dot)wilson(at)gmail(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sam Mason | 2008-11-04 19:35:54 | Re: Semi-customized queries? Subset of SQL? Accessing the parser? Injection? |
| Previous Message | Webb Sprague | 2008-11-04 19:12:05 | Re: Semi-customized queries? Subset of SQL? Accessing the parser? Injection? |