SQL problem in python
Peter Otten
__peter__ at web.de
Sat Mar 8 12:24:05 EST 2008
aiwarrior wrote:
> When i run it the get_value() returns 'filepath' instead of the
> columns. But if i dont use any variable and make the expression static
> all goes on as its supposed to. What am i doing wrong?
> self.cursor.execute( "SELECT (?) FROM database", column )
In this case you have to use Python's string interpolation, or the column
will be interpreted as a const value. The following should work:
self.cursor.execute( "SELECT %s FROM database" % column)
If you must sanitize the column name you can prepend something like
if column not in allowed_names: raise ValueError
Peter
More information about the Python-list
mailing list