sqlite3 - adding tables and rows via parameters

Vlastimil Brom vlastimil.brom at gmail.com
Sat Apr 12 20:15:31 CEST 2008

2008/4/12, Steve Holden <steve at holdenweb.com>:
> Vlastimil Brom wrote:
> > Hi all,
> > I would like to ask about the usage of sqlite3 in python, more
> > specifically about a way to pass table
> > or column names to a SQL commands using parameters.
> The thing that will stop you from using a tablename as an argument to a
> parameterized query is that (the) front-ends (I am familiar with) don't
> allow table names to be parameterized ...
> ...

Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC              http://www.holdenweb.com/


Thank you very much for the explanation Steve!
I noticed the limitation, but wasn't sure, if if I wasn't missing anything,
as I don't have many experiences with databases (now I am actually trying to
reimplement, what was previously managed to with nested dictionaries - hence
I don't think, something more robust than sqlite is appropriate).
But now I am not sure; are there any (security
...) risks of using string interpolation for table and column names in
the SQL commands? Or
are the values, where parametrization (with ? in sqlite3) is supported, the
only vulnerable part; whereas eg. an incorrect value of what should be a
name is safe (of course, apart from the unsuccessful command itself)?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080412/cc17753f/attachment.html>

More information about the Python-list mailing list