Static SQL query classifier and injection-risk analyzer for all Amazon RDS database engines
Project description
sql-shield
Static SQL query classifier and injection-risk analyzer for all Amazon RDS database engines.
sql-shield parses a SQL query string and tells you:
- Query type: DDL, DML, DQL, DCL, TCL, UTILITY, PROCEDURAL, ADMIN, or UNKNOWN
- Security risk: LOW / MEDIUM / HIGH / CRITICAL, with the specific patterns that triggered it (injection patterns, stacked queries, destructive DDL, engine-specific dangerous functions/catalogs)
No database connection required — this is purely static analysis over the query text.
Supported engines
| Engine | Versions | sqlglot dialect |
|---|---|---|
| PostgreSQL | 11-17 | postgres |
| Aurora PostgreSQL | 11-16 | postgres |
| MySQL | 5.7, 8.0 | mysql |
| Aurora MySQL | 5.7, 8.0 | mysql |
| MariaDB | 10.6, 10.11, 11.4 | mysql |
| Oracle | 19c, 21c, 23ai | oracle |
| SQL Server | 2017, 2019, 2022 | tsql |
Listed versions are the ones with version-specific pattern tuning. Other versions of a supported engine still work — they fall back to the engine's base pattern set with a warning logged.
Install
pip install sql-shield
Quickstart
from sql_shield import SQLClassifier
classifier = SQLClassifier(engine="postgresql", version="16")
result = classifier.classify_query("SELECT * FROM users WHERE id = 1 OR 1=1")
print(result.query_type) # QueryType.DQL
print(result.security_analysis.risk_level) # RiskLevel.HIGH
print(result.security_analysis.detected_patterns)
print(result.security_analysis.recommendation)
Limitations
- Static analysis only — it inspects query text, not a live schema, so it cannot tell you whether referenced tables/columns exist.
- The stacked-query check splits on
;without parsing string literals, so a benign query containing a semicolon inside a string (e.g.'a; b') may be flagged as multiple statements. Treat the risk score as a signal, not a verdict.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sql_query_tagger-0.1.0.tar.gz.
File metadata
- Download URL: sql_query_tagger-0.1.0.tar.gz
- Upload date:
- Size: 20.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8e221ed9d56a10d7e83734711c91b36f51522cd6fead54b84ff2372165eea24f
|
|
| MD5 |
19188410c7c9585f49496fd9f7aa5ef5
|
|
| BLAKE2b-256 |
4f9faf673cb2135da3aca862c81d3ec85782e27372b44d0e012db0bb27819085
|
File details
Details for the file sql_query_tagger-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sql_query_tagger-0.1.0-py3-none-any.whl
- Upload date:
- Size: 2.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e3b1c37d704972ed7bec0d473ea74e64a7814ddeee48dfc74684546895c8502a
|
|
| MD5 |
a2baa262b4206d7f44b9865fd2d2ff00
|
|
| BLAKE2b-256 |
b0dee55e9f33529bad0fc6d1ea6cf9e61e3f681d8e504864f0aa5b615f933c99
|
