Stop a user from performing UNION operation on Database

Is 开发者_开发百科there any way i can stop a user to perform a UNION operation on my Database ?

You could build an EXPLAIN for the query prior to running it and reject the query if there is a mention of UNION in select_type.

This wouldn't allow you to run any DML queries, though, since EXPLAIN does not work on them.

Not that I have any idea why on Earth would you need to do that.

Not that I'd recommend this, but...

if (stripos($_POST['query'],'union') !== false) die("No dice, bro.")

This would obviously have the unwanted side effect of not allowing your user to put the word "union" in any database field without doing something silly like concat('un','ion').

I would basically support reggie. Alternativly you could only scan the input string for the word UNION. Just be aware that this is in any case a security risk.