Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Would like to allow a client application to execute SQL queries against our database.
The queries will be requests for data, the client should never be able to modify data.
Is there a way to allow a client to send in a SQL statement, then screen it for malicious injection, then pass it through the the database?
We are using the SQLAlchemy library for Python against a PostgreSQL database.
Thanks!
An easier option than trying to interpret queries for malice would be to create a db user with read-only privilege. Your end-users would then use that account to run SELECT queries. You would not need to worry about malicious inserts and deletes because “write” queries would not be allowed. You could also modify permissions further to not allow access to data that you do not want your clients to see etc.
See this SO question and answers for some info on creating “read only” users.