Would like to allow a client application to execute SQL queries against our database.
The queries will be requests for data, the client should never be able to modify data.
Is there a way to allow a client to send in a SQL statement, then screen it for malicious injection, then pass it through the the database?
We are using the SQLAlchemy library for Python against a PostgreSQL database.
Thanks!
An easier option than trying to interpret queries for malice would be to create a db user with read-only privilege. Your end-users would then use that account to run SELECT queries. You would not need to worry about malicious inserts and deletes because "write" queries would not be allowed. You could also modify permissions further to not allow access to data that you do not want your clients to see etc.
See this SO question and answers for some info on creating "read only" users.