> I found a trick that works for my use case. I just don't execute if > it's not a SELECT request. I do the test like so: > > def execute(self): > if self.sql.split()[0].lower() != 'select': > return 'You can only execute SELECT queries.' > ....
So the user puts in SELECT * FROM app_whatever; DROP TABLE auth_users; ... http://xkcd.com/327/ You *really* *do* want a RO DB connection. Anything else is just asking for trouble. Push come to shove, you can create a second connection to the DB using the RO credentials, and then do your execute() through that connection. -tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---