Oops! Didn't think of that!!!!!
Thanks, guys, for spotting the mistake.

I totally understand what you suggest, having a RO user at the
database (in this case MySQL) level.
But I am fairly new to Django and Python, and I am unsure how to
implement that dual-setting option.

I was thinking, maybe to add a DATABASE_USER_RO value in setting.py.
But I don't see how I can force connection object to use that user
instead of the regular "DATABASE_USER".

Could you please indicate how to do this?

Thanks a lot!

Julien

On Feb 4, 12:26 am, Tim Chase <[EMAIL PROTECTED]> wrote:
> > I found a trick that works for my use case. I just don't execute if
> > it's not a SELECT request. I do the test like so:
>
> >     def execute(self):
> >         if self.sql.split()[0].lower() != 'select':
> >             return 'You can only execute SELECT queries.'
> >         ....
>
> So the user puts in
>
>   SELECT * FROM app_whatever; DROP TABLE auth_users;
>
> ...
>
> http://xkcd.com/327/
>
> You *really* *do* want a RO DB connection.  Anything else is just
> asking for trouble.  Push come to shove, you can create a second
> connection to the DB using the RO credentials, and then do your
> execute() through that connection.
>
> -tim
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to