{"html_url": "https://github.com/simonw/datasette/issues/39#issuecomment-340787868", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/39", "id": 340787868, "node_id": "MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2017-10-31T14:54:14Z", "updated_at": "2017-10-31T14:54:14Z", "author_association": "OWNER", "body": "Here\u2019s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values.\r\n\r\n    cur.execute(\r\n        \"select * from people where name_last=:who and age=:age\", {\r\n            \"who\": who,\r\n            \"age\": age\r\n    })\r\n\r\nIn URL form:\r\n\r\n    ?sql=select...&who=Terry&age=34\r\n\r\nNow we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 268469569, "label": "Protect against malicious SQL that causes damage even though our DB is immutable"}, "performed_via_github_app": null}