Jeff Elkins wrote:
> I'm attempting to pass an SQL query via the console:
>
> $ ./getbd month 05
>
> The arguments get seem to passed correctly (via print statements) and then:
>
> cursor.execute ("""
> SELECT name, month, day ,category, city FROM bday
> WHERE %s = %s
> """,(arg1,arg2))
>
> No results. However, if I hardcode the WHERE argument with a field name:
>
> cursor.execute ("""
> SELECT name, month, day ,category, city FROM bday
> WHERE month = %s
> """,(arg2))
>
> It works.
>
Because here you aren't trying to parameterize the name of a database
object.
> How can I code the left side of the WHERE clause so I can pass an arbitrary
> field name to search on?
>
>
You might have to construct the SQL statement to include the names of
tables and columns. It's still better to use parameterization for data
substitutions, though, because then you don't have to perform any quoting.
--
Steve Holden +1 703 861 4237 +1 800 494 3119
Holden Web LLC http://www.holdenweb.com/
Python Web Programming http://pydish.holdenweb.com/
--
http://mail.python.org/mailman/listinfo/python-list
