Welcome!
This is the community forum for my apps Pythonista and Editorial.
For individual support questions, you can also send an email. If you have a very short question or just want to say hello — I'm @olemoritz on Twitter.
A bit of help needed on sqlite3 [solved]
-
I create a utility to dump the table layout information from sqlite databases. The sqlite3 docs talk about a question mark style of variable substitution in execute statements but I could not figure it out.
cursor.execute("SELECT * FROM {}".format(table_name)) # works but.. cursor.execute("SELECT * FROM (?)", (table_name, )) # does not. -
I found this StackOverflow post: pysqlite: Placeholder substitution for column or table names? – according to the answers, it's simply not possible to use placeholders for table names.
-
Yes... That is backed up by http://stackoverflow.com/questions/474261/python-pysqlite-not-accepting-my-qmark-parameterization ... I will just leave my code as is. Thx.
-
@ccc , I have been reading about this and it has been doing my head in :) but generally speaking they say don't use any Python string manipulation functions if possible because sql injection attacks. This is primary a web server issue Vrs local databases unless you are accepting input. I really wish the sqlite3 dbapi2 had a simple style DAO or RDO or ADODB etc ORM. I was trying to build a DAO style object set, but failed again :(
-
It kinda makes sense – if you have potentially malicious user input, I can't really imagine a scenario where you'd want to use that directly as a table name in a query...
@Phuket2 Welcome back! :)
-
@omz , thanks :)
