You cannot use parameters for table names nor column names. Alternatively you could make it a two-step process, e.g.: a_table_name = “table_a” sql_stmt = f”””DROP TABLE {a_table_name}””” self.conn.execute(sql_stmt) And if you’re doing that you may want to explicitly specify which tables can be deleted… TABLES_THAT_CAN_BE_DROPPED = (‘table_a’,’table_b’,) if a_table_name in TABLES_THAT_CAN_BE_DROPPED: # use code snippet … Read more
I would use a parameterized query (where IDVALUE=?), but that prompts me to input the parameter value From what you mentioned I understand you are using MS Query and you need to follow the following steps Steps to make a parameterized query in Excel use a cell value as parameter First go to the Data … Read more
You need to use parameters instead of just concatenating together your SQL: using (SqlConnection con = new SqlConnection(–your-connection-string–)) using (SqlCommand cmd = new SqlCommand(con)) { string query = “SELECT distinct ha FROM app WHERE 1+1=2”; if (comboBox1.Text != “”) { // add an expression with a parameter query += ” AND firma = @value1 “; … Read more
Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of “dirty” input changing the meaning of your query. That is, if the input contains SQL, it can’t become part of what is executed because the SQL is never injected into the resulting statement.
A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed. It’s commonly used as a means of preventing SQL injection attacks. You can … Read more