2008/4/12, Steve Holden <[EMAIL PROTECTED]>: > > Vlastimil Brom wrote: > > Hi all, > > I would like to ask about the usage of sqlite3 in python, more > > specifically about a way to pass table > > or column names to a SQL commands using parameters. > > > The thing that will stop you from using a tablename as an argument to a > parameterized query is that (the) front-ends (I am familiar with) don't > allow table names to be parameterized ... > > ...
regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ ======================= Thank you very much for the explanation Steve! I noticed the limitation, but wasn't sure, if if I wasn't missing anything, as I don't have many experiences with databases (now I am actually trying to reimplement, what was previously managed to with nested dictionaries - hence I don't think, something more robust than sqlite is appropriate). But now I am not sure; are there any (security ...) risks of using string interpolation for table and column names in the SQL commands? Or are the values, where parametrization (with ? in sqlite3) is supported, the only vulnerable part; whereas eg. an incorrect value of what should be a name is safe (of course, apart from the unsuccessful command itself)? TIA Vlasta
-- http://mail.python.org/mailman/listinfo/python-list
