restrict non-readonly queries

app.py

@@ -239,10 +239,30 @@ def clean_sql_response(response: str) -> str:
     return response.strip()
 
 
+def is_read_only_query(query: str) -> bool:
+    """Check if the query is read-only (SELECT only)."""
+    # Convert query to uppercase for case-insensitive comparison
+    query_upper = query.upper()
+    
+    # List of SQL statements that modify data
+    modification_statements = [
+        'INSERT', 'UPDATE', 'DELETE', 'DROP', 'CREATE', 'ALTER', 'TRUNCATE', 
+        'REPLACE', 'MERGE', 'UPSERT', 'GRANT', 'REVOKE'
+    ]
+    
+    # Check if query starts with any modification statement
+    return not any(query_upper.strip().startswith(stmt) for stmt in modification_statements)
+
+
 def execute_query(query):
     if not st.session_state.engine:
         return None
     
+    # Check if the query is read-only
+    if not is_read_only_query(query):
+        st.error("Error: Only SELECT queries are allowed for security reasons.")
+        return None
+    
     try:
         start_time = time.time()
         with st.spinner("Executing SQL query..."):
@@ -299,12 +319,13 @@ def generate_sql_query(user_query):
 {chr(10).join(tables_context)}
 
 Important:
-1. Only return the SQL query, nothing else
-2. The query should be valid PostgreSQL syntax
-3. Do not include any explanations or comments
-4. Make sure to handle NULL values appropriately
-5. If joining tables, use appropriate join conditions based on the schema
-6. Use table names with appropriate qualifiers to avoid ambiguity
+1. Only generate SELECT queries - no INSERT, UPDATE, DELETE, or other data modification statements
+2. Only return the SQL query, nothing else
+3. The query should be valid PostgreSQL syntax
+4. Do not include any explanations or comments
+5. Make sure to handle NULL values appropriately
+6. If joining tables, use appropriate join conditions based on the schema
+7. Use table names with appropriate qualifiers to avoid ambiguity
 
 User Query: {user_query}
 """