My settings:

EXPLORER_SQL_BLACKLIST = (
    "ALTER",
    "CREATE TABLE",
    "DELETE",
    "DROP",
    "GRANT",
    "INSERT INTO",
    "OWNER TO",
    "RENAME ",
    "REPLACE",
    "SCHEMA",
    "TRUNCATE",
    "UPDATE",
)

EXPLORER_SQL_WHITELIST = "REGEXP_REPLACE"

My query, running successfully in saved and playground queries.

UPDATE users SET username = 'something_else' where id = 1

Ultimately, the real solution for me will be a read-only user in the DB, but this is a fairly significant security flaw!

Related issues; #490 #454

The last change to the blacklist check was meant to improve a bug in it at the time and can be found here;

0f074cd#diff-32d6fb9b8f63c9448ae3557a4171d5e1e7809a1bf05b7f49088f24ddd6d27bca

This should fail now in the latest master branch with the following error

Query failed the SQL blacklist: SET, UPDATE

This fix will be included in the next release.