Not able to interface odbc using pengines

I’m using: SWI-Prolog version 8.5.10 for x86_64-linux, Pengines version 0.1.8 (using python 2)

I have created predicates to query mysql commads using odbc, all of them are working fine when using through swipl tool.
I have created ODBC Data Source in /etc/odbc.ini

But when I’m hosting a prolog server & accessing those predicates using python-pengines API ,Error starts appearing, below is the error I am getting

Response string
  "data":"No permission to call sandboxed `odbc_connect(_5598,_5600,_5602)'\nReachable from:\n\t  '3b8aca44-102e-4832-b3de-1349e90941a4':create_db_connect",
Error communicating with planner: Error - probably invalid Prolog query?

My code looks like this:

:- use_module(library(odbc)).
create_db_connect :-
      odbc_connect('test', _,
            [ alias(mydb),

disconnect_database :- odbc_disconnect(mydb).

Please let me know how I can query ODBC commands using python-pengines & resolve this issue.


Pengines work with a sandbox. The sandbox establishes the reachable call graph from a query and checks each predicate using a white list. The built-in white list only contains predicates that have no side effects and do not access any data considered private.

If you want to use Pengines with a database, the idea is that you create a Prolog module that exports the operations you consider safe. That is typically not odbc_connect/3 as the ability to call that without constraints is a huge security risk. Instead, you probably open the database at initialization time and you provide predicates that run safe SQL queries on this connection. Next, you add these safe predicates to the white list and load this library when creating the Pengine server using

:- use_module(pengine_sandbox:myfile).

Or you add a use_module/1 call to the pengine program. As the file is already loaded, this is considered safe and only imports the interface of the library to the current pengine.

The idea is that, by loading libraries and defining a safe API you create an environment for the pengine programs to combine this API arbitrarily, i.e., you “move your program to the data”

If you are working in a safe environment (the Pengine endpoint is behind a firewall or running HTTPS with a good password/certificate) you can also disable the sandbox.

1 Like