Passing a column name in a SELECT statement in Python

by

You cannot use SQL parameters to interpolate column names. You’ll have to use classic string formatting for those parts. That’s the point of SQL parameters; they quote values so they cannot possibly be interpreted as SQL statements or object names.

The following, using string formatting for the column name works, but be 100% certain that the filters[0] value doesn’t come from user input:

cursor.execute("SELECT * FROM PacketManager WHERE {} = ?".format(filters[0]), (parameters[0],))

You probably want to validate the column name against a set of permissible column names, to ensure no injection can take place.

More Related Contents:

  1. Select Query To Get Last 9 Months Data in SQLite3
  2. sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 1, and there are 74 supplied
  3. No module named _sqlite3
  4. Sqlite / SQLAlchemy: how to enforce Foreign Keys?
  5. Force Python to forego native sqlite3 and use the (installed) latest sqlite3 version
  6. Parameter substitution for a SQLite “IN” clause
  7. OperationalError: database is locked
  8. Python SQLite parameter substitution with wildcards in LIKE
  9. How can I get dict from sqlite query?
  10. Sqlite3, OperationalError: unable to open database file
  11. Using a WHERE ___ IN ___ statement
  12. parameter unsupported when inserting int in sqlite
  13. How to read datetime back from sqlite as a datetime instead of string in Python?
  14. Python sqlite3 string variable in execute
  15. Why is SQLAlchemy insert with sqlite 25 times slower than using sqlite3 directly?
  16. SQLite parameter substitution and quotes
  17. Bulk insert huge data into SQLite using Python
  18. String similarity with Python + Sqlite (Levenshtein distance / edit distance)
  19. Is there a way to get a list of column names in sqlite?
  20. “no such table” exception
  21. sqlite3.OperationalError: unable to open database file
  22. What is an efficient way of inserting thousands of records into an SQLite table using Django?
  23. How to upgrade sqlite 3.8.2 to >= 3.8.3
  24. Python 3 sqlite parameterized SQL-query
  25. Why do you need to create a cursor when querying a sqlite database?
  26. How to open and convert sqlite database to pandas dataframe
  27. SQLite, python, unicode, and non-utf data
  28. Pycharm environment different than command line
  29. Can’t change system default SQLite binary
  30. Passing SQLite variables in Python

Leave a Comment