omz:forum

    • Register
    • Login
    • Search
    • Recent
    • Popular

    Welcome!

    This is the community forum for my apps Pythonista and Editorial.

    For individual support questions, you can also send an email. If you have a very short question or just want to say hello — I'm @olemoritz on Twitter.


    A bit of help needed on sqlite3 [solved]

    Pythonista
    3
    6
    3614
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ccc
      ccc last edited by ccc

      I create a utility to dump the table layout information from sqlite databases. The sqlite3 docs talk about a question mark style of variable substitution in execute statements but I could not figure it out.

      cursor.execute("SELECT * FROM {}".format(table_name))  # works but..
      cursor.execute("SELECT * FROM (?)", (table_name, ))    # does not.
      
      1 Reply Last reply Reply Quote 0
      • omz
        omz last edited by

        I found this StackOverflow post: pysqlite: Placeholder substitution for column or table names? – according to the answers, it's simply not possible to use placeholders for table names.

        1 Reply Last reply Reply Quote 0
        • ccc
          ccc last edited by

          Yes... That is backed up by http://stackoverflow.com/questions/474261/python-pysqlite-not-accepting-my-qmark-parameterization ... I will just leave my code as is. Thx.

          1 Reply Last reply Reply Quote 0
          • Phuket2
            Phuket2 last edited by

            @ccc , I have been reading about this and it has been doing my head in :) but generally speaking they say don't use any Python string manipulation functions if possible because sql injection attacks. This is primary a web server issue Vrs local databases unless you are accepting input. I really wish the sqlite3 dbapi2 had a simple style DAO or RDO or ADODB etc ORM. I was trying to build a DAO style object set, but failed again :(

            1 Reply Last reply Reply Quote 0
            • omz
              omz last edited by

              It kinda makes sense – if you have potentially malicious user input, I can't really imagine a scenario where you'd want to use that directly as a table name in a query...

              @Phuket2 Welcome back! :)

              Phuket2 1 Reply Last reply Reply Quote 0
              • Phuket2
                Phuket2 @omz last edited by

                @omz , thanks :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Powered by NodeBB Forums | Contributors