Passing a column name in a SELECT statement in Python

python sqlite

You cannot use SQL parameters to interpolate column names. You'll have to use classic string formatting for those parts. That's the point of SQL parameters; they quote values so they cannot possibly be interpreted as SQL statements or object names.

The following, using string formatting for the column name works, but be 100% certain that the filters[0] value doesn't come from user input:

cursor.execute("SELECT * FROM PacketManager WHERE {} = ?".format(filters[0]), (parameters[0],))

You probably want to validate the column name against a set of permissible column names, to ensure no injection can take place.


You can only set parameters using ?, not table or column names.

You could build a dict with predefined queries.

queries = {
    "foo": "SELECT * FROM PacketManager WHERE foo = ?",
    "bar": "SELECT * FROM PacketManager WHERE bar = ?",
    "foo_bar": "SELECT * FROM PacketManager WHERE foo = ? AND bar = ?",
}

# count == 1
cursor.execute(queries[filters[0], parameters[0])

# count == 2
cursor.execute(queries[filters[0] + "_" + queries[filters[1], parameters[0])

This approach will make you save from SQL injection in filters[0].

Related

XML Deserialization of collection property with code defaults
How do I update Cmder to use PowerShell Core?
Shortcut to open Network Connections from Run
How to invert the selection in vim?
Windows Vista: How to execute a .exe program in the cmd "As Administrator"
Can I merge Inbox and Sent Items into one view in Outlook 2007?
Is there any replacement for putty [closed]
Installing a library locally in home directory, but program doesn't recognize it
How to insert a new line and jump to it, in emacs?
how to resume ddrescue process?
Where does thunderbird store message filters and how can I import them?
How can I copy a single file and maintain directory structure?