Change sql blacklist functionality from regex to sqlparse

[lawson89]

Issue #454

[covracer]

@marksweb why forbid this? What's a better way to display results in a local timezone?

[marksweb]

Forbid this? Sorry I don't follow - I haven't forbidden this?

[covracer]

This PR added SET to app_settings.EXPLORER_SQL_BLACKLIST, and the assert below seems to be checking that SET TIME ZONE 'PST8PDT' fails the blacklist. I noticed this because several queries I rely on started failing after an upgrade.

From a quick reading of https://www.postgresql.org/docs/current/sql-set.html, I don't notice ways in which it'd modify data in the database, but I'm not a SQL expert, and I haven't checked MySQL, etc.

[marksweb]

@covracer This PR just changed the order of the blacklisted items. SET was actually added about a year ago here.

SET can be used to update values. See here.

The blacklist check didn't work for some time. It may have been this PR which actually got it working correctly hence you noticing it.

You can always define your own EXPLORER_SQL_BLACKLIST in your project settings if you want to allow people to use different commands.

[covracer]

https://www.w3schools.com/SQL/sql_ref_set.asp discusses SET in the context of UPDATE ... SET ... WHERE .... It seems to me like the entry for UPDATE would cover that.

SET PASSWORD for MySQL as described in #475 sounds like a great thing to block. Would it be possible to disallow SET PASSWORD ... (for MySQL) while allowing SET TIME ... (for PostgreSQL)?

Edit: I'm open to overriding EXPLORER_SQL_BLACKLIST, but I wanted to make sure I wasn't overlooking ways in which SET could be used to make modifications to a PostgreSQL database before doing so. Thanks for the help in figuring the details out.

[marksweb]

@covracer The project is setup to try to be as secure as possible. Where you need a different approach, like SET TIME, you can define your own EXPLORER_SQL_BLACKLIST list which doesn't include SET.