[Tutor] sqlite: does "?" work in PRAGMA commands?
Terry Carroll
carroll at tjc.com
Thu Aug 2 17:16:34 CEST 2007
On Thu, 2 Aug 2007, John Fouhy wrote:
> I'm not sure about PRAGMA, but you can do introspection in sqlite by
> examining the table 'sqlite_master'.
Thanks. That's how I get the table names, actually. But it doesn't give
the column names.
It does give the SQL used to create the table, so I could theoretically
parse that out.
I suppose I don't actually have a risk in this particular case by using
the python-based "%" substitution, rather than the DB API "?"
substitution. The table names come directly out of the schema, with no
opportunity for a user-driven SQL injection. I'd just like to use good
habits from the start.
More information about the Tutor
mailing list