I am going to provide SQL console like data.stackexchange.com for developers on one of the sites I have. The problem is I can not let them execute all type of SQL. So there will be some constrains. Here are some example constrains
- No query can contain
COUNT()function - Every query must contain
LIMITwith maximum value100 - Number of column can not be more than
5 - Some tables' data will not be accessible due to privacy region.
- Only
SELECTstatements will be allowed to be used.
What I am doing right now?
I using regular expression to filter these. Also planning to invoke EXPLAIN or similar query to determine its impact in db prior to executing.
Is there any better way than regex? How it's done on data.SE? Is there anything else I should be worried about?
Update 1
These two rules can be applied by restricting user permission in database server.
- Some tables' data will not be accessible due to privacy region.
- Only
SELECTstatements will be allowed to be used.
So only problem is to validate the SQL
Update 2
I know If I write an SQL parser it'll do. It'll be like writing JS interpreter just remove eval() as its bad practice. So writing an SQL parser from scratch is really not an option. here.