Forum Archive

A bit of help needed on sqlite3 [solved]

ccc

I create a utility to dump the table layout information from sqlite databases. The sqlite3 docs talk about a question mark style of variable substitution in execute statements but I could not figure it out.

cursor.execute("SELECT * FROM {}".format(table_name))  # works but..
cursor.execute("SELECT * FROM (?)", (table_name, ))    # does not.
omz

I found this StackOverflow post: pysqlite: Placeholder substitution for column or table names? – according to the answers, it's simply not possible to use placeholders for table names.

ccc

Yes... That is backed up by http://stackoverflow.com/questions/474261/python-pysqlite-not-accepting-my-qmark-parameterization ... I will just leave my code as is. Thx.

Phuket2

@ccc , I have been reading about this and it has been doing my head in :) but generally speaking they say don't use any Python string manipulation functions if possible because sql injection attacks. This is primary a web server issue Vrs local databases unless you are accepting input. I really wish the sqlite3 dbapi2 had a simple style DAO or RDO or ADODB etc ORM. I was trying to build a DAO style object set, but failed again :(

omz

It kinda makes sense – if you have potentially malicious user input, I can't really imagine a scenario where you'd want to use that directly as a table name in a query...

@Phuket2 Welcome back! :)

Phuket2

@omz , thanks :)