issue_comments: 340787868

This data as json

html_url issue_url id node_id user created_at updated_at author_association body reactions issue performed_via_github_app
https://github.com/simonw/datasette/issues/39#issuecomment-340787868 https://api.github.com/repos/simonw/datasette/issues/39 340787868 MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA== 9599 2017-10-31T14:54:14Z 2017-10-31T14:54:14Z OWNER

Here’s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values.

cur.execute(
    "select * from people where name_last=:who and age=:age", {
        "who": who,
        "age": age
})

In URL form:

?sql=select...&who=Terry&age=34

Now we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 268469569