This data as json
|268469569||MDU6SXNzdWUyNjg0Njk1Njk=||39||Protect against malicious SQL that causes damage even though our DB is immutable||9599||closed||0||2857392||4||2017-10-25T16:44:27Z||2021-08-17T23:52:07Z||2017-11-05T02:53:47Z||OWNER||
I’m currently operating under the assumption that it’s safe to allow arbitrary SQL statements because we are dealing with an immutable database. But this might not be the case - there are some pretty weird SQLite language extensions (ATTACH, PRAGMA etc) and I’m not certain they cannot be used to break things in a way that would affect future requests to the API.
Solution: provide a “safe mode” option which disables the ?sql= mechanism. This still leaves the URL filter lookups, so I need to make sure that those are “safe”.
In the future I may also implement a whitelist option where datasets can be configured to only allow specific filters against specific columns.