Placeholder For Table Name
I'm working on editable table. and would like to ask about the placeholder for the table name. I tried many ways but it doesn't work. Is it secure to do this? and how to do it? I h
Solution 1:
Security depends on source of column and table names you're going to use. It can be potentially insecure if you get them from untrusted sources. In either case variable table/column name are not safe in sence of potential runtime errors for non existent tables/columns.
For your code, one do not use placeholders for a table or column name. The reason is that while SQLs with different bound variables are equal in terms of tables involved, execution plan et.c. (i.e. compiled equivalently), SQLs with different table names or columns are obviously not equal.
You can do it like follows:
sql_template ='UPDATE {table} SET {column}=? WHERE rowid=?'sql= sql_template.format(table=table_name, column=column_name)
db.execute(sql, (newValue, id))
Post a Comment for "Placeholder For Table Name"