sqlite3 - adding tables and rows via parameters
Steve Holden
steve at holdenweb.com
Sat Apr 12 18:00:46 EDT 2008
Vlastimil Brom wrote:
>
> 2008/4/12, Steve Holden <steve at holdenweb.com <mailto:steve at holdenweb.com>>:
>
> Vlastimil Brom wrote:
> > Hi all,
> > I would like to ask about the usage of sqlite3 in python, more
> > specifically about a way to pass table
> > or column names to a SQL commands using parameters.
>
>
> The thing that will stop you from using a tablename as an argument to a
> parameterized query is that (the) front-ends (I am familiar with) don't
> allow table names to be parameterized ...
>
> ...
>
>
> regards
> Steve
> --
> Steve Holden +1 571 484 6266 +1 800 494 3119
> Holden Web LLC http://www.holdenweb.com/
>
> =======================
>
> Thank you very much for the explanation Steve!
> I noticed the limitation, but wasn't sure, if if I wasn't missing
> anything, as I don't have many experiences with databases (now I am
> actually trying to reimplement, what was previously managed to with
> nested dictionaries - hence I don't think, something more robust than
> sqlite is appropriate).
> But now I am not sure; are there any (security
> ...) risks of using string interpolation for table and column names in the SQL commands? Or
> are the values, where parametrization (with ? in sqlite3) is supported,
> the only vulnerable part; whereas eg. an incorrect value of what should
> be a name is safe (of course, apart from the unsuccessful command itself)?
>
Ultimately that depends where the table and column names come from. If
they are user inputs then you are still vulnerable to SQL injection, but
usually that's not the case when a query is being parameterized -
usually it's values.
As long as you consider the source of your data carefully you'll
probably be OK.
regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
Holden Web LLC http://www.holdenweb.com/
More information about the Python-list
mailing list