SQLite query restrictions

Question

I am building a little interface where I would like users to be able to write out their entire sql statement and then see the data that is returned. However, I

Answer 1

Python's sqlite3 execute() method will only execute a single SQL statement, so if you ensure that all statements start with the SELECT keyword, you are reasonably protected from dumb stuff like SELECT 1; DROP TABLE USERS. But you should check sqlite's SQL syntax to ensure there is no way to embed a data definition or data modification statement as a subquery.

My personal opinion is that if "regex scares you a little bit", you might as well just put your computer in a box and mail it off to . Letting untrusted users write SQL code is playing with fire, and you need to know what you're doing or you'll get fried.