I'm planning on building a Django log-viewing app with powerful filters. I'd like to enable the user to finely filter the results with some custom (possibly DB-specific) SELECT queries.
However, I dislike giving the user write access to the database. Is there a way to make sure a query doesn't change anything in the database? Like a 'dry run' flag? Or is there a way to filter SELECT queries so that they can't be harmful in any way?
I thought about running the queries as a separate MySQL user but I'd rather avoid the hassle. I also thought about using Google App Engine's GQL 'language', but if there is a cleaner solution, I'd certainly like to hear it :)
Thanks.