I'm building a website with Django where there will be a sql console for performing raw queries on the database (SQLite3).
I know that this is a dangerous idea and that is why I'm wondering if my rather inelegant and brute solution will work.
I want the user to be able to perform only SELECT statements and therefore before the query is executed on the database I am simply making an assert statement which checks that the words 'DROP', 'UPDATE' or 'CREATE' are not in the query string and another one to assert that the word 'SELECT' is.
If this is not satisfied the query is not being processed.
Is it good enough or am I missing something here?
That would probably work fine if you're confident enough in your code. Personally, I could never be that confident.
It might be better to cut the permissions off at the user or file level, and since sqlite doesn't have users at all, we can cut off write capability on the file level.
Seen from here, if the database or folder that it resides in does not allow write permissions then they won't be able to do INSERT, UPDATE, DELETE, etc.