{"html_url": "https://github.com/simonw/datasette/issues/39#issuecomment-340787868", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/39", "id": 340787868, "node_id": "MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2017-10-31T14:54:14Z", "updated_at": "2017-10-31T14:54:14Z", "author_association": "OWNER", "body": "Here\u2019s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values.\r\n\r\n    cur.execute(\r\n        \"select * from people where name_last=:who and age=:age\", {\r\n            \"who\": who,\r\n            \"age\": age\r\n    })\r\n\r\nIn URL form:\r\n\r\n    ?sql=select...&who=Terry&age=34\r\n\r\nNow we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 268469569, "label": "Protect against malicious SQL that causes damage even though our DB is immutable"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/39#issuecomment-339406634", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/39", "id": 339406634, "node_id": "MDEyOklzc3VlQ29tbWVudDMzOTQwNjYzNA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2017-10-25T17:27:10Z", "updated_at": "2017-10-25T17:27:10Z", "author_association": "OWNER", "body": "It certainly looks like some of the stuff in https://sqlite.org/pragma.html could be used to screw around with things. Example: `PRAGMA case_sensitive_like = 1` - would that affect future queries?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 268469569, "label": "Protect against malicious SQL that causes damage even though our DB is immutable"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/39#issuecomment-339413825", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/39", "id": 339413825, "node_id": "MDEyOklzc3VlQ29tbWVudDMzOTQxMzgyNQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2017-10-25T17:48:48Z", "updated_at": "2017-10-25T17:48:48Z", "author_association": "OWNER", "body": "Could I use https://sqlparse.readthedocs.io/en/latest/ to parse incoming statements and ensure they are pure SELECTs? Would that prevent people from using a compound SELECT statement to trigger an evil PRAGMA of some sort?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 268469569, "label": "Protect against malicious SQL that causes damage even though our DB is immutable"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/39#issuecomment-339510770", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/39", "id": 339510770, "node_id": "MDEyOklzc3VlQ29tbWVudDMzOTUxMDc3MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2017-10-26T00:07:40Z", "updated_at": "2017-10-26T00:07:40Z", "author_association": "OWNER", "body": "It looks like I should double quote my columns and ensure they are correctly escaped https://blog.christosoft.de/2012/10/sqlite-escaping-table-acolumn-names/ - hopefully using ? placeholders for column names will work. I should use ? for tables too.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 268469569, "label": "Protect against malicious SQL that causes damage even though our DB is immutable"}, "performed_via_github_app": null}