3 files changed, 23 insertions, 10 deletions

diff --git a/debug_toolbar/middleware.py b/debug_toolbar/middleware.py
index 8dcf454..c3cf5f9 100644
--- a/debug_toolbar/middleware.py
+++ b/debug_toolbar/middleware.py
@@ -8,6 +8,8 @@ from django.utils.encoding import smart_unicode
 from django.conf.urls.defaults import include, patterns
 import debug_toolbar.urls
 from debug_toolbar.toolbar.loader import DebugToolbar
+from debug_toolbar.urls import DEBUG_TB_URL_PREFIX
+import os
 
 _HTML_TYPES = ('text/html', 'application/xhtml+xml')
 
@@ -37,7 +39,7 @@ class DebugToolbarMiddleware(object):
     def show_toolbar(self, request):
         if not settings.DEBUG:
             return False
-        if request.is_ajax():
+        if request.is_ajax() and not request.path.startswith(os.path.join('/', DEBUG_TB_URL_PREFIX)): #Allow ajax requests from the debug toolbar
             return False
         if not request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS:
             return False
diff --git a/debug_toolbar/urls.py b/debug_toolbar/urls.py
index 77d1a80..05233e2 100644
--- a/debug_toolbar/urls.py
+++ b/debug_toolbar/urls.py
@@ -7,10 +7,12 @@ this into the urlconf for the request.
 from django.conf.urls.defaults import *
 from django.conf import settings
 
+DEBUG_TB_URL_PREFIX = '__debug__'
+
 urlpatterns = patterns('',
-    url(r'^__debug__/m/(.*)$', 'debug_toolbar.views.debug_media'),
-    url(r'^__debug__/sql_select/$', 'debug_toolbar.views.sql_select', name='sql_select'),
-    url(r'^__debug__/sql_explain/$', 'debug_toolbar.views.sql_explain', name='sql_explain'),
-    url(r'^__debug__/sql_profile/$', 'debug_toolbar.views.sql_profile', name='sql_profile'),
-    url(r'^__debug__/template_source/$', 'debug_toolbar.views.template_source', name='template_source'),
+    url(r'^%s/m/(.*)$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.debug_media'),
+    url(r'^%s/sql_select/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_select', name='sql_select'),
+    url(r'^%s/sql_explain/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_explain', name='sql_explain'),
+    url(r'^%s/sql_profile/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_profile', name='sql_profile'),
+    url(r'^%s/template_source/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.template_source', name='template_source'),
 )
diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py
index e3bb5b1..0fb4168 100644
--- a/debug_toolbar/views.py
+++ b/debug_toolbar/views.py
@@ -8,11 +8,17 @@ import os
 import django.views.static
 from django.conf import settings
 from django.db import connection
-from django.http import HttpResponse, HttpResponseBadRequest
+from django.http import HttpResponseBadRequest
 from django.shortcuts import render_to_response
 from django.utils import simplejson
 from django.utils.hashcompat import sha_constructor
 
+class InvalidSQLError(Exception):
+    def __init__(self, value):
+        self.value = value
+    def __str__(self):
+        return repr(self.value)
+    
 def debug_media(request, path):
     root = getattr(settings, 'DEBUG_TOOLBAR_MEDIA_ROOT', None)
     if root is None:
@@ -36,7 +42,7 @@ def sql_select(request):
     hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest()
     if hash != request.GET.get('hash', ''):
         return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert
-    if sql.lower().startswith('select'):
+    if sql.lower().strip().startswith('select'):
         params = simplejson.loads(params)
         cursor = connection.cursor()
         cursor.execute(sql, params)
@@ -50,6 +56,7 @@ def sql_select(request):
             'headers': headers,
         }
         return render_to_response('debug_toolbar/panels/sql_select.html', context)
+    raise InvalidSQLError("Only 'select' queries are allowed.")
 
 def sql_explain(request):
     """
@@ -67,7 +74,7 @@ def sql_explain(request):
     hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest()
     if hash != request.GET.get('hash', ''):
         return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert
-    if sql.lower().startswith('select'):
+    if sql.lower().strip().startswith('select'):
         params = simplejson.loads(params)
         cursor = connection.cursor()
         cursor.execute("EXPLAIN %s" % (sql,), params)
@@ -81,6 +88,7 @@ def sql_explain(request):
             'headers': headers,
         }
         return render_to_response('debug_toolbar/panels/sql_explain.html', context)
+    raise InvalidSQLError("Only 'select' queries are allowed.")
 
 def sql_profile(request):
     """
@@ -98,7 +106,7 @@ def sql_profile(request):
     hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest()
     if hash != request.GET.get('hash', ''):
         return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert
-    if sql.lower().startswith('select'):
+    if sql.lower().strip().startswith('select'):
         params = simplejson.loads(params)
         cursor = connection.cursor()
         cursor.execute("SET PROFILING=1") # Enable profiling
@@ -116,6 +124,7 @@ def sql_profile(request):
             'headers': headers,
         }
         return render_to_response('debug_toolbar/panels/sql_explain.html', context)
+    raise InvalidSQLError("Only 'select' queries are allowed.")
 
 def template_source(request):
     """