You simply can not use placeholders for column or table names. I don’t have a authoritative citation for this — I “know” this only from having tried it and from failing. It makes some sense though:
- If the columns and table could be parametrized, there would be little
purpose to preparing (execute
-ing) the SQL statement before fetching, since all parts of the statement could be
replaced. - I’m not sure about pysqlite1, but MySQLdb automatically quotes all
string parameters. Column and table names should not be quoted. So it
would complicate the parsing required by the driver if it had to
decide if a placeholder represented a column or table name versus a
value that needs quoting.
In short, you’ve found the right way — use string formating.
c.execute('SELECT {} FROM {} WHERE id=?'.format(column, table), row))
1 Not all drivers quote parameters — oursql
doesn’t, since it sends SQL and arguments to the server separately.