Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 201
  • Last Modified:

Drop Down Boxes And Dynamic SQL

Hi,

I was hoping somebody had a class or examples of this.

I need to have a box on a webpage that the user can type SQL into. However, the user also needs the option of being able to create the SQL using drop down boxes.

So if a user chooses drop down boxes, the sql would be created based on that. but if they entered the SQL into a text box, the drop down boxes would be selected to match the query criteria.

The drop downs and the text box wont have to be on the same page. There will be a basic page with the drop downs on and then an advanced page for the text box or if its easier, they'd both be on the same page. it doesn't matter which.

The SQL entered could be INSERT, UPDATE, DELETE, but not DROP or anything that could do major damage.

Thanks for any help.

m4cc4
0
m4cc4
Asked:
m4cc4
2 Solutions
 
gruntarCommented:
Hi,
i would advise you not going this way (letting users to type their own SQL queryes). Why? First of any query except insert or select can do major damage.

for instance
UPDATE sometable SET colname1='', colname2=''...   // this way would replace all data with empry strings in all rows because of a missing where part. Same goes to delete statement
DELETE FROM tablename:  // no where clause, dis would delete all rows from that table

So, you see where this goes.. Do you really wanna do this?

Cheers
0
 
m4cc4Author Commented:
Thanks for the advice, but i need to find a way to do this.

The drop downs and boxes will be in an admin section which only certain users will be able to access.

m4cc4
0
 
AlanJDMCommented:
With all due respect, you are opening a huge can of worms here. Not to mention the glaring security issues already touched on by gruntar, to accept freeform text as a query is a huge job. You have to write a complete parsing system that recognizes every SQL function, keyword and operator and understand the rules behind each one if you are going to offer any kind of error messages when they type in a bad query.

For example, what if I where to enter this...

select * from table where field = dog

Obviously an error because the value needs to be quoted because it is text field. How would you handle this?

And then, to have the text boxes update to match the query, another big job. Even if the query is syntacticly correct, what if they refer to fieldnames that dont correspond to the dropdown boxes? They query may be correctly typed in and it may run fine, but there would be no way to update the dropdon boxes because the user queried different fields than the ones the dropdowns represent.


Alan

0
 
Kshitij AhujaCommented:
No comment has been added to this question in more than 21

days,so it is now classified as abandoned..
I will leave the following recommendation for this question in

the Cleanup topic area:
[Points Split {AlanJDM} and {gruntar}]

Any objections should be posted here in the next 4 days. After

that time, the question will be closed.

Kshitij Ahuja
EE Cleanup Volunteer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now