{"html_url": "https://github.com/simonw/datasette/issues/1546#issuecomment-997124280", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1546", "id": 997124280, "node_id": "IC_kwDOBm6k_c47bui4", "user": {"value": 9599, "label": "simonw"}, "created_at": "2021-12-18T02:05:16Z", "updated_at": "2021-12-18T02:05:16Z", "author_association": "OWNER", "body": "Sure - there are actually several levels to this.\r\n\r\nThe code that creates connections to the database is this: https://github.com/simonw/datasette/blob/83bacfa9452babe7bd66e3579e23af988d00f6ac/datasette/database.py#L72-L95\r\n\r\nFor files on disk, it does this:\r\n```python\r\n# For read-only connections\r\nconn = sqlite3.connect( \"file:my.db?mode=ro\", uri=True, check_same_thread=False)\r\n# For connections that should be treated as immutable:\r\nconn = sqlite3.connect( \"file:my.db?immutable=1\", uri=True, check_same_thread=False)\r\n```\r\nFor in-memory databases it runs this after the connection has been created:\r\n```python\r\nconn.execute(\"PRAGMA query_only=1\")\r\n```\r\nSQLite `PRAGMA` queries are treated as dangerous: someone could run `PRAGMA query_only=0` to turn that previous option off for example.\r\n\r\nSo this function runs against any incoming SQL to verify that it looks like a `SELECT ...` and doesn't have anything like that in it.\r\n\r\nhttps://github.com/simonw/datasette/blob/83bacfa9452babe7bd66e3579e23af988d00f6ac/datasette/utils/__init__.py#L195-L204\r\n\r\nYou can see the tests for that here: https://github.com/simonw/datasette/blob/b1fed48a95516ae84c0f020582303ab50ab817e2/tests/test_utils.py#L136-L170", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 1, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1076057610, "label": "validating the sql"}, "performed_via_github_app": null}