html_url,issue_url,id,node_id,user,user_label,created_at,updated_at,author_association,body,reactions,issue,issue_label,performed_via_github_app
https://github.com/simonw/datasette/issues/39#issuecomment-340787868,https://api.github.com/repos/simonw/datasette/issues/39,340787868,MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA==,9599,simonw,2017-10-31T14:54:14Z,2017-10-31T14:54:14Z,OWNER,"Here’s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values.

    cur.execute(
        ""select * from people where name_last=:who and age=:age"", {
            ""who"": who,
            ""age"": age
    })

In URL form:

    ?sql=select...&who=Terry&age=34

Now we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",268469569,Protect against malicious SQL that causes damage even though our DB is immutable,