Rene Dudfield <ill...@users.sourceforge.net> added the comment: Hi,
Here is an article with people trying to find a solution: http://stackoverflow.com/questions/6514274/how-do-you-escape-strings-for-sqlite-table-column-names-in-python "The psycopg2 documentation explicitly recommends using normal python % or {} formatting to substitute in table and column names." Sqlalchemy uses a format_table method with their sql compiler to quote table names for sqlite. It's probably just sane to either use SQLalchemy, use ctypes to get at the sqlite mprintf function, or perhaps look at the above stackoverflow article for more solutions. There is python code out there vulnerable to attack, that doesn't quote table names correctly. Including at least one major python framework. Hopefully people who care will follow some of the above links. cheers, ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11685> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
