Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 5 of 5 total
Thread find text
Tue, Aug 15 2006 1:23 PMPermanent Link

Nate
This is not specifically a dbisam question, but will be used with a dbisam query.  I am adding a 'admin SQL' function to  a form which will allow an administrator to manually enter an sql query
for my database.  However, I do not want the administrator to be able to modify the database in any way (ie. no Delete, Insert, Update, etc.).  I have a TMemo box in which the code will be
entered, and then a button that when clicked performs the query and displays the results in a TDBISAM grid.

I was going to have the memo box search for these words (delete, insert, etc.) before it can do an SQL query, but cannot figure out how to do a search on the memo box for this.

Maybe there is an easier way to restrict any editing of the database from an SQL statement?  

Thanks
Tue, Aug 15 2006 2:13 PMPermanent Link

Roy Lambert

NLH Associates

Team Elevate Team Elevate

Nate

>I was going to have the memo box search for these words (delete, insert, etc.) before it can do an SQL query, but cannot figure out how to do a search on the memo box for this.

Pos('delete',LowerCase(Memo1.Lines.Text)

Roy Lambert
Tue, Aug 15 2006 2:28 PMPermanent Link

Nate
>Pos('delete',LowerCase(Memo1.Lines.Text)

Awesome, thanks that works.  Also, does anyone have a list of functions that should be restricted?

So far I have come up with:
Delete
Update
Create
Add
Alter
Insert

There must be more than that though?

Thanks
Wed, Aug 16 2006 6:06 AMPermanent Link

adam
Dear Nate,

I always start with checking that the first word in the statement is "SELECT" ... using POS as shown above. Then you know at least the first part of
any SQL is OK.

Then if you also check for POS of ";" users can only write a single "SELECT" & cannot write additional sections of a script ... so you are safe.

Watch out for checking for words like "delete", "insert", "Update" etc. as some DB Structures may have fieldnames using these,
i.e. "UpdatedOrders" ... I know it is unlikely, but it does happen!

Adam
Wed, Aug 16 2006 1:53 PMPermanent Link

Bernd Kuhlmann
Nate,

> This is not specifically a dbisam question, but will be used with a dbisam
> query.  I am adding a 'admin SQL' function to  a form which will allow an
> administrator to manually enter an sql query
> for my database.  However, I do not want the administrator to be able to
> modify the database in any way (ie. no Delete, Insert, Update, etc.).  I
> have a TMemo box in which the code will be entered, and then a button that
> when clicked performs the query and displays the results in a TDBISAM
> grid.
>
> I was going to have the memo box search for these words (delete, insert,
> etc.) before it can do an SQL query, but cannot figure out how to do a
> search on the memo box for this.
>
> Maybe there is an easier way to restrict any editing of the database from
> an SQL statement?

Do you use the database server? If yes, you could create a special database
user who has only been granted the read right.

Bernd
Image