John Machin sjmachin at lexicon.net
Thu Jan 7 04:28:49 CET 2010

On Jan 7, 1:38 pm, Steve Holden <st... at holdenweb.com> wrote:
> John Machin wrote:
> [...]> I note that in the code shown there are examples of building an SQL
> > query where the table name is concocted at runtime via the %
> > operator ... key phrases: "bad database design" (one table per
> > store!), "SQL injection attack"
> I'm not trying to defend the code overall, but most databases won't let
> you parameterize the table or column names, just the data values.

That's correct, and that's presumably why the OP is constructing whole
SQL statements on the fly e.g.

cursor.execute('select max(ID) from %sCustomerData;' % store)

What is the reason for "but" in "but most databases won't ..."? What
are you rebutting?

Let me try again: One table per store is bad design. The
implementation of that bad design may use:

cursor.execute('select max(ID) from %sCustomerData;' % store)
or (if available)
cursor.execute('select max(ID) from ?CustomerData;', (store, ))
but the implementation means is irrelevant.

More information about the Python-list mailing list