Reputation: 7486
Convert an UPDATE into a SELECT
I'm making a simple web interface to allow execution of queries against a database (yeah, I know, I know it's a really bad practice, but it's a private website used only by a few trusted users that currently use directly a DB manager to execute these queries, so the web interface is only to make more automatic the process).
The thing is that, for safety, whenever an UPDATE query is detected I want to first execute a SELECT statement "equivalent" to the update (keeping WHERE clause) to retrieve how many records are going to be affected prior to execute the UPDATE.
The idea is to replace "UPDATE" by "SELECT * FROM" and remove the whole "SET" clause without removing the "WHERE".
I'm trying replacing UPDATE\s*(.*?)\s*SET.*(\s*WHERE\s*.*) by SELECT * FROM \1 \2 and similar but i'm having troubles when there is no "WHERE" clause (uncommon, but possible).
edit: It's pretty hard to explain why I need this to be done like this, but I do, I know about stored procedures, query builders, transactions, etc... but for my case it's not what I need to be able to do.
Upvotes: 0
Views: 84
Answers (1)
Reputation: 1269753
You should fix your design. There is nothing wrong with users updating data in a database. The question is how they do it. My strong suggestion is to wrap the update statements in stored procedures. Then only allow updates through the stored procedures.
There are several main reasons why I prefer this approach:
- I think a well-designed API produces more stable and maintainable code.
- The stored procedures control security.
- The stored procedures allow better logging of what is happening in the database.
- The stored procedures provide control over what users can do.
In your case, though, they offer another advantage. Because all the update code is on the database-side, you know what the update statements look like. So, you can then decide how you want to get the "pre-counts" (which is what I assume you are looking for).
EDIT:
There is also an important flaw in your design (as you describe it). The data might change between the update and the select. If you use stored procedures, there are ways to address this. For instance, you can wrap the operations in a transaction. Or, you use a SELECT to get the rows to be updated, lock those rows (depending on the database), and only do the update on those rows.
Upvotes: 2
Related Questions
- How to use regexp_matches() in an UPDATE statement?
- Extract string from text field in PostgreSQL (using regex?)
- UPDATE SQL statement using regex
- Update a string using regular expressions in SQL
- Parse SQL with REGEX to find Physical Update
- SQL update with regular expressions
- RegEx with MySql Update
- Regex to Extract Update Columns from a Sql Statement
- Using Reg Ex in a mySQL update statement
- Can MySQL do regular expression substitution in an UPDATE?