issue_comments
4 rows where issue = 268469569 and user = 9599 sorted by updated_at descending
This data as json, CSV (advanced)
Suggested facets: created_at (date), updated_at (date)
issue 1
- Protect against malicious SQL that causes damage even though our DB is immutable · 4 ✖
| id | html_url | issue_url | node_id | user | created_at | updated_at ▲ | author_association | body | reactions | issue | performed_via_github_app |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 340787868 | https://github.com/simonw/datasette/issues/39#issuecomment-340787868 | https://api.github.com/repos/simonw/datasette/issues/39 | MDEyOklzc3VlQ29tbWVudDM0MDc4Nzg2OA== | simonw 9599 | 2017-10-31T14:54:14Z | 2017-10-31T14:54:14Z | OWNER | Here’s how I can (I think) provide safe execution of arbitrary SQL while blocking PRAGMA calls: let people use names parameters in their SQL and apply strict filtering to the SQL query but not to the parameter values. In URL form: Now we can apply strict, dumb validation rules to the SQL part while allowing anything in the named queries - so people can execute a search for PRAGMA without being able to execute a PRAGMA statement. |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
Protect against malicious SQL that causes damage even though our DB is immutable 268469569 | |
| 339510770 | https://github.com/simonw/datasette/issues/39#issuecomment-339510770 | https://api.github.com/repos/simonw/datasette/issues/39 | MDEyOklzc3VlQ29tbWVudDMzOTUxMDc3MA== | simonw 9599 | 2017-10-26T00:07:40Z | 2017-10-26T00:07:40Z | OWNER | It looks like I should double quote my columns and ensure they are correctly escaped https://blog.christosoft.de/2012/10/sqlite-escaping-table-acolumn-names/ - hopefully using ? placeholders for column names will work. I should use ? for tables too. |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
Protect against malicious SQL that causes damage even though our DB is immutable 268469569 | |
| 339413825 | https://github.com/simonw/datasette/issues/39#issuecomment-339413825 | https://api.github.com/repos/simonw/datasette/issues/39 | MDEyOklzc3VlQ29tbWVudDMzOTQxMzgyNQ== | simonw 9599 | 2017-10-25T17:48:48Z | 2017-10-25T17:48:48Z | OWNER | Could I use https://sqlparse.readthedocs.io/en/latest/ to parse incoming statements and ensure they are pure SELECTs? Would that prevent people from using a compound SELECT statement to trigger an evil PRAGMA of some sort? |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
Protect against malicious SQL that causes damage even though our DB is immutable 268469569 | |
| 339406634 | https://github.com/simonw/datasette/issues/39#issuecomment-339406634 | https://api.github.com/repos/simonw/datasette/issues/39 | MDEyOklzc3VlQ29tbWVudDMzOTQwNjYzNA== | simonw 9599 | 2017-10-25T17:27:10Z | 2017-10-25T17:27:10Z | OWNER | It certainly looks like some of the stuff in https://sqlite.org/pragma.html could be used to screw around with things. Example: |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
Protect against malicious SQL that causes damage even though our DB is immutable 268469569 |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [issue_comments] (
[html_url] TEXT,
[issue_url] TEXT,
[id] INTEGER PRIMARY KEY,
[node_id] TEXT,
[user] INTEGER REFERENCES [users]([id]),
[created_at] TEXT,
[updated_at] TEXT,
[author_association] TEXT,
[body] TEXT,
[reactions] TEXT,
[issue] INTEGER REFERENCES [issues]([id])
, [performed_via_github_app] TEXT);
CREATE INDEX [idx_issue_comments_issue]
ON [issue_comments] ([issue]);
CREATE INDEX [idx_issue_comments_user]
ON [issue_comments] ([user]);
user 1