SQLite query restrictions

Question

I am building a little interface where I would like users to be able to write out their entire sql statement and then see the data that is returned. However, I

Answer 1

1. Open the database as read only, to prevent any changes.
2. Many statements, such as PRAGMA or ATTACH, can be dangerous. Use an authorizer callback (C docs) to allow only SELECTs.
3. Queries can run for a long time, or generate a large amount of data. Use a progress handler to abort queries that run for too long.

Answer 2

Python's sqlite3 execute() method will only execute a single SQL statement, so if you ensure that all statements start with the SELECT keyword, you are reasonably protected from dumb stuff like SELECT 1; DROP TABLE USERS. But you should check sqlite's SQL syntax to ensure there is no way to embed a data definition or data modification statement as a subquery.

My personal opinion is that if "regex scares you a little bit", you might as well just put your computer in a box and mail it off to <stereotypical country of hackers>. Letting untrusted users write SQL code is playing with fire, and you need to know what you're doing or you'll get fried.

Answer 3

I can suggest a different approach to your problem. You can restrict the access to your database as read-only. That way even when the users try to execute delete/update queries they will not be able to damage your data.

Here is the answer for Python on how to open a read-only connection:

db = sqlite3.connect('file:/path/to/database?mode=ro', uri=True)