On Thu, 2007-10-11 at 15:14 +0200, Florian Lindner wrote:
> Hello,
> I have a function that executes a SQL statement with MySQLdb:
>
> def executeSQL(sql, *args):
> print sql % args
> cursor = conn.cursor()
> cursor.execute(sql, args)
> cursor.close()
>
> it's called like that:
>
> sql = "INSERT INTO %s (%s) VALUES (%s)"
> executeSQL(sql, DOMAIN_TABLE, DOMAIN_FIELD, domainname)
You can't use parameter binding to substitute table names and column
names, or any other syntax element, into a query. You can only bind
parameters in places where a literal value would be allowed (more or
less, the real rules are more complicated, but this rule of thumb gets
you close enough). You have to construct the query string like this, for
example:
sql = "INSERT INTO "+DOMAIN_TABLE+"("+DOMAIN_FIELD+") VALUES (%s)"
executeSQL(sql, domainname)
HTH,
--
Carsten Haese
http://informixdb.sourceforge.net
--
http://mail.python.org/mailman/listinfo/python-list
