2008/4/12, Steve Holden <[EMAIL PROTECTED]>:
>
> Vlastimil Brom wrote:
> > Hi all,
> > I would like to ask about the usage of sqlite3 in python, more
> > specifically about a way to pass table
> > or column names to a SQL commands using parameters.
>
>
> The thing that will stop you from using a tablename as an argument to a
> parameterized query is that (the) front-ends (I am familiar with) don't
> allow table names to be parameterized ...
>
> ...


regards
  Steve
--
Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC              http://www.holdenweb.com/

=======================

Thank you very much for the explanation Steve!
I noticed the limitation, but wasn't sure, if if I wasn't missing anything,
as I don't have many experiences with databases (now I am actually trying to
reimplement, what was previously managed to with nested dictionaries - hence
I don't think, something more robust than sqlite is appropriate).
But now I am not sure; are there any (security
...) risks of using string interpolation for table and column names in
the SQL commands? Or
are the values, where parametrization (with ? in sqlite3) is supported, the
only vulnerable part; whereas eg. an incorrect value of what should be a
name is safe (of course, apart from the unsuccessful command itself)?

TIA
 Vlasta
-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to