4 rows where issue = 268469569

View and edit SQL

Suggested facets: created_at (date), updated_at (date)

id ▼ html_url issue_url node_id user created_at updated_at author_association body reactions issue performed_via_github_app
339406634 https://github.com/simonw/datasette/issues/39#issuecomment-339406634 https://api.github.com/repos/simonw/datasette/issues/39 MDEyOklzc3VlQ29tbWVudDMzOTQwNjYzNA== simonw 9599 2017-10-25T17:27:10Z 2017-10-25T17:27:10Z OWNER It certainly looks like some of the stuff in https://sqlite.org/pragma.html could be used to screw around with things. Example: `PRAGMA case_sensitive_like = 1` - would that affect future queries? {"total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} Protect against malicious SQL that causes damage even though our DB is immutable 268469569  
339413825 https://github.com/simonw/datasette/issues/39#issuecomment-339413825 https://api.github.com/repos/simonw/datasette/issues/39 MDEyOklzc3VlQ29tbWVudDMzOTQxMzgyNQ== simonw 9599 2017-10-25T17:48:48Z 2017-10-25T17:48:48Z OWNER Could I use https://sqlparse.readthedocs.io/en/latest/ to parse incoming statements and ensure they are pure SELECTs? Would that prevent people from using a compound SELECT statement to trigger an evil PRAGMA of some sort? {"total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} Protect against malicious SQL that causes damage even though our DB is immutable 268469569  
339510770 https://github.com/simonw/datasette/issues/39#issuecomment-339510770 https://api.github.com/repos/simonw/datasette/issues/39 MDEyOklzc3VlQ29tbWVudDMzOTUxMDc3MA== simonw 9599 2017-10-26T00:07:40Z 2017-10-26T00:07:40Z OWNER It looks like I should double quote my columns and ensure they are correctly escaped https://blog.christosoft.de/2012/10/sqlite-escaping-table-acolumn-names/ - hopefully using ? placeholders for column names will work. I should use ? for tables too. {"total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} Protect against malicious SQL that causes damage even though our DB is immutable 268469569  
340787868 https://github.com/simonw/datasette/issues/39#issuecomment-340787868 https://api.github.com/repos/simonw/datasette/issues/39 MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA== simonw 9599 2017-10-31T14:54:14Z 2017-10-31T14:54:14Z OWNER Here’s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values. cur.execute( "select * from people where name_last=:who and age=:age", { "who": who, "age": age }) In URL form: ?sql=select...&who=Terry&age=34 Now we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement. {"total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} Protect against malicious SQL that causes damage even though our DB is immutable 268469569  

Advanced export

JSON shape: default, array, newline-delimited, object

CSV options:

CREATE TABLE [issue_comments] (
   [html_url] TEXT,
   [issue_url] TEXT,
   [id] INTEGER PRIMARY KEY,
   [node_id] TEXT,
   [user] INTEGER REFERENCES [users]([id]),
   [created_at] TEXT,
   [updated_at] TEXT,
   [author_association] TEXT,
   [body] TEXT,
   [reactions] TEXT,
   [issue] INTEGER REFERENCES [issues]([id])
, [performed_via_github_app] TEXT);
CREATE INDEX [idx_issue_comments_issue]
                ON [issue_comments] ([issue]);
CREATE INDEX [idx_issue_comments_user]
                ON [issue_comments] ([user]);