Reputation: 19675
How can I limit an SQL query to be nondestructive?
I'm planning on building a Django log-viewing app with powerful filters. I'd like to enable the user to finely filter the results with some custom (possibly DB-specific) SELECT queries.
However, I dislike giving the user write access to the database. Is there a way to make sure a query doesn't change anything in the database? Like a 'dry run' flag? Or is there a way to filter SELECT queries so that they can't be harmful in any way?
I thought about running the queries as a separate MySQL user but I'd rather avoid the hassle. I also thought about using Google App Engine's GQL 'language', but if there is a cleaner solution, I'd certainly like to hear it :)
Thanks.
Upvotes: 2
Views: 642
Answers (2)
Reputation: 799082
Connect with a user that has only been granted SELECT permissions. Situations like this is why permissions exist in the first place.
Upvotes: 14
Related Questions
- Protecting against SQL injection in python
- SQLAlchemy + SQL Injection
- Preventing SQL Injection for online SQL querying
- How can I prevent SQL injection in PYTHON-DJANGO?
- How to protect SELECT * FROM var1 WHERE var2 statements from SQLInjection
- Filter SQL statement against malicious injection in Python
- Django and SQL Injection with example
- SQL injection hacks and django
- Preventing select query on ForeignKey when the primary key is known
- Django & Postgres explicit SQL parameters escape