A way to accept SQL input with sanitization and parameterization with a json format
Project description
JsonSQL
JsonSQL is a Python class that allows safe execution of SQL queries from untrusted JSON input. It validates the input against allowed queries, tables, columns etc. before constructing a safe SQL string.
Usage
Installing the package
pip install jsonsql
Full SQL String
Import the JsonSQL class:
from jsonsql import JsonSQL
Initialize it by passing allowed queries, items, tables, connections and column types:
allowed_queries = ["SELECT"]
allowed_items = ["*"]
allowed_tables = ["users"]
allowed_connections = ["WHERE"]
allowed_columns = {"id": int, "name": str}
jsonsql = JsonSQL(allowed_queries, allowed_items, allowed_tables, allowed_connections, allowed_columns)
Pass a JSON request to sql_parse() to validate and construct the SQL:
request = {
"query": "SELECT",
"items": ["*"],
"table": "users",
"connection": "WHERE",
"logic": {
"id": {"=":123}
}
}
valid, sql, params = jsonsql.sql_parse(request)
The logic is validated against the allowed columns before constructing the final SQL string.
Search Criteria for partial string
The logic_parse method can also be used independently to validate logic conditions without constructing a full SQL query. This allows reusing predefined or dynamically generated SQL strings while still validating any logic conditions passed from untrusted input.
For example:
sql = "SELECT * FROM users WHERE"
logic = {
"AND": [
{"id": {"=":123}},
{"name": {"=":"John"}}
]
}
valid, message, params = jsonsql.logic_parse(logic)
if valid:
full_sql = f"{sql} ({message})"
# execute full_sql with params
This validates the logic while allowing the SQL query itself to be predefined or constructed separately.
The logic_parse method will return False if the input logic is invalid. Otherwise it returns the parsed logic string and any bound parameters for safe interpolation into a SQL query.
All arguments to JsonSQL like allowed_queries, allowed_columns etc. are optional and can be empty lists or dicts if full validation of the SQL syntax is not needed.
Current operations supported by the logic
{
"AND":[],
"OR":[],
{"variable":{"<, >, =, etc":"value"}},
{"variable":{"BETWEEN":["value1","value2"]}},
{"variable":{"IN":["value1","value2","..."]}}
}
values can also be valid variables such that variable1 = variable2
{"variable":{"=":"othervariable"}}
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file jsonsql-1.1.4.tar.gz.
File metadata
- Download URL: jsonsql-1.1.4.tar.gz
- Upload date:
- Size: 5.7 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.0.0 CPython/3.12.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1218eb28d43030b72dc5e2528be1430584f97bb147b4048df6fbe38ac5b3ceeb
|
|
| MD5 |
a61e1975b225efd4efd808bb4004e19e
|
|
| BLAKE2b-256 |
3eab89d9061deed25090d0ff559bf2b095d5713b49373cc47bbe65d4c228161b
|
File details
Details for the file jsonsql-1.1.4-py3-none-any.whl.
File metadata
- Download URL: jsonsql-1.1.4-py3-none-any.whl
- Upload date:
- Size: 5.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.0.0 CPython/3.12.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e606192da0ac4425158172df0b592a7f971ce2ea6d607b3736a63d10d07c4bc5
|
|
| MD5 |
2c1c691ed7fe3de44fd59351de85383f
|
|
| BLAKE2b-256 |
e4767639e7a288136d0118d9f173a11e3ff09d42b2877cc3319e4605218db1b5
|
