Drop Down Boxes And Dynamic SQL


I was hoping somebody had a class or examples of this.

I need to have a box on a webpage that the user can type SQL into. However, the user also needs the option of being able to create the SQL using drop down boxes.

So if a user chooses drop down boxes, the sql would be created based on that. but if they entered the SQL into a text box, the drop down boxes would be selected to match the query criteria.

The drop downs and the text box wont have to be on the same page. There will be a basic page with the drop downs on and then an advanced page for the text box or if its easier, they'd both be on the same page. it doesn't matter which.

The SQL entered could be INSERT, UPDATE, DELETE, but not DROP or anything that could do major damage.

Thanks for any help.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i would advise you not going this way (letting users to type their own SQL queryes). Why? First of any query except insert or select can do major damage.

for instance
UPDATE sometable SET colname1='', colname2=''...   // this way would replace all data with empry strings in all rows because of a missing where part. Same goes to delete statement
DELETE FROM tablename:  // no where clause, dis would delete all rows from that table

So, you see where this goes.. Do you really wanna do this?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
m4cc4Author Commented:
Thanks for the advice, but i need to find a way to do this.

The drop downs and boxes will be in an admin section which only certain users will be able to access.

With all due respect, you are opening a huge can of worms here. Not to mention the glaring security issues already touched on by gruntar, to accept freeform text as a query is a huge job. You have to write a complete parsing system that recognizes every SQL function, keyword and operator and understand the rules behind each one if you are going to offer any kind of error messages when they type in a bad query.

For example, what if I where to enter this...

select * from table where field = dog

Obviously an error because the value needs to be quoted because it is text field. How would you handle this?

And then, to have the text boxes update to match the query, another big job. Even if the query is syntacticly correct, what if they refer to fieldnames that dont correspond to the dropdown boxes? They query may be correctly typed in and it may run fine, but there would be no way to update the dropdon boxes because the user queried different fields than the ones the dropdowns represent.


Kshitij AhujaTechnology DeveloperCommented:
No comment has been added to this question in more than 21

days,so it is now classified as abandoned..
I will leave the following recommendation for this question in

the Cleanup topic area:
[Points Split {AlanJDM} and {gruntar}]

Any objections should be posted here in the next 4 days. After

that time, the question will be closed.

Kshitij Ahuja
EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.