Protect against GET SQL injection

[simonw]

I'm really nervous about allowing attackers to trick my into visiting /dashboard/?sql=... with some hitherto unexpected evil query that somehow bypasses read-only protections or executed an XSS of some sort.

But I still want to be able to bookmark and share queries.

Maybe a solution can involve signatures? Execute queries with an authenticated CSRF protected POST, it then redirects and adds a signed parameter to verify that it's not from any untrusted source.

[simonw]

I'm going to use Django's signing for this:

from django.core import signing
signed_query = signing.dumps(sql_query, salt="django_sql_dashboard:query")