0

What I'm trying to do is have a html form that allows anyone to type a sql query to my database and outputs the information on another page. So far I have the form working and the information carries over to my php page through POST and is stored in a variable like so:

$value = $_POST['query'];

$statement = $database->prepare($value);

So for instance if I had a movie database the user could type their own statement like SELECT * movie.name FROM MOVIES; and see results. The problem I'm having trouble with is that the user can type whatever statement they wish and, maybe even INSERT new information. I'm wondering how do I output the results on another page.

So far the only thing I came up with is to loop through the results and output but I have no way of knowing how many rows will be present because of how dynamic a query can be.

sippycup
  • 145
  • 3
  • 12
  • 3
    [How to build a RESTful API](http://stackoverflow.com/questions/4684075/how-to-build-a-restful-api). <-- you need to build an API. – WEBjuju Dec 08 '16 at 23:11
  • 1
    Yes, there is not much left that is riskier than doing that. – Jeff Dec 08 '16 at 23:11
  • 1
    its more of a getting the concept to work but I do understand that it has no real use and is dangerous. – sippycup Dec 08 '16 at 23:12
  • Basically your question is how to limit what users can insert as a `query`, but that's the whole *risk* part, but now you say it's not a matter of security? Then, what is your *question* exactly? In my opinion you should do it more controlled, where they insert the movie name, and you search it for them. Also, define: *"on another page"* as that can change the answer aswell. – Nytrix Dec 08 '16 at 23:18
  • Basically I want the most arbitrary SQL queries to be executed and the answers to be brought on a separate page. This includes SELECT, INSERT, and UPDATE being allowed. the other page will simply be a that organizes the information.
     – sippycup Dec 08 '16 at 23:25
  • Although it still sounds like a very flawed en risky design, I suggest you simply create a new user on your mysql server that is only allowed to perform SELECT, INSERT and UPDATE queries and only on that database. Then use those user credentials to connect to the database in your script. They could still try any other query, but simply get an error returned if they do. – icecub Dec 08 '16 at 23:40
  • Just don't come crying over here when some spider spambot realises how wide open your database is and spams it with billions of queries full of useless data. – icecub Dec 08 '16 at 23:44
  • its an edification project and will not be used for any other purpose and I do know how dumb and risky it is. – sippycup Dec 08 '16 at 23:48

0 Answers0