Oops! Didn't think of that!!!!! Thanks, guys, for spotting the mistake. I totally understand what you suggest, having a RO user at the database (in this case MySQL) level. But I am fairly new to Django and Python, and I am unsure how to implement that dual-setting option.
I was thinking, maybe to add a DATABASE_USER_RO value in setting.py. But I don't see how I can force connection object to use that user instead of the regular "DATABASE_USER". Could you please indicate how to do this? Thanks a lot! Julien On Feb 4, 12:26 am, Tim Chase <[EMAIL PROTECTED]> wrote: > > I found a trick that works for my use case. I just don't execute if > > it's not a SELECT request. I do the test like so: > > > def execute(self): > > if self.sql.split()[0].lower() != 'select': > > return 'You can only execute SELECT queries.' > > .... > > So the user puts in > > SELECT * FROM app_whatever; DROP TABLE auth_users; > > ... > > http://xkcd.com/327/ > > You *really* *do* want a RO DB connection. Anything else is just > asking for trouble. Push come to shove, you can create a second > connection to the DB using the RO credentials, and then do your > execute() through that connection. > > -tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
