validating SQL statement

artoo

Just wondering how one would go about validating a SELECT SQL query statement enterted by the user.

Thanks for any ideas.

LordShryku

Run it.

artoo

how would you validate the WHERE clause of the SELECT statement before running the query so no warning messages are shown?

Thanks

LordShryku

There doesn't have to be a where clause in a sql statement. I'd think the most important thing to actually validate would be the SELECT part of it, which could just be a substr call.

$sql = trim($_POST['sql']); # trim whitespace
if(strtoupper(substr($sql, 0, 6)) == 'SELECT') {
   # valid
}
else {
   echo 'This must be a SELECT statement';
}

Beyond that, run the query, then display the error. If you're giving them a text box to put in direct sql statements, let the sql engine do the validation for you.

if(($res = mysql_query($sql)) !== false) {
   # fetch the results
}
else {
   echo 'You have an error in your SQL.<br />MySQL said: '.mysql_error();
}