Variable table name in sqlite

by

Unfortunately, tables can’t be the target of parameter substitution (I didn’t find any definitive source, but I have seen it on a few web forums).

If you are worried about injection (you probably should be), you can write a function that cleans the string before passing it. Since you are looking for just a table name, you should be safe just accepting alphanumerics, stripping out all punctuation, such as )(][;, and whitespace. Basically, just keep A-Z a-z 0-9.

def scrub(table_name):
    return ''.join( chr for chr in table_name if chr.isalnum() )

scrub('); drop tables --')  # returns 'droptables'

More Related Contents:

  1. Importing a CSV file into a sqlite3 database table using Python
  2. OperationalError: database is locked
  3. Is there a way to get a list of column names in sqlite?
  4. SQLite Performance Benchmark — why is :memory: so slow…only 1.5X as fast as disk?
  5. sqlite3.OperationalError: unable to open database file
  6. How to open and convert sqlite database to pandas dataframe
  7. Python sqlite3.OperationalError: no such table:
  8. How do I get the “id” after INSERT into MySQL database with Python?
  9. List of tables, db schema, dump etc using the Python sqlite3 API
  10. Python CSV to SQLite
  11. multiple databases and multiple models in django
  12. How can I verify Column data types in the SQLAlchemy ORM?
  13. Passing a column name in a SELECT statement in Python
  14. A QuerySet by aggregate field value
  15. “no such table” exception
  16. SQLite not saving data between uses
  17. SQLAlchemy: how to filter date field?
  18. What is an efficient way of inserting thousands of records into an SQLite table using Django?
  19. Race conditions in django
  20. What is your favorite solution for managing database migrations in django? [closed]
  21. Problem with regexp python and sqlite
  22. Python 3 sqlite parameterized SQL-query
  23. Why do you need to create a cursor when querying a sqlite database?
  24. django.core.exceptions.ImproperlyConfigured: Error loading MySQLdb module: No module named MySQLdb
  25. sqlite3.ProgrammingError: You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings
  26. SQLite, python, unicode, and non-utf data
  27. Django: Increment blog entry view count by one. Is this efficient?
  28. Pycharm environment different than command line
  29. Can’t change system default SQLite binary
  30. How to document default None/null in OpenAPI/Swagger using FastAPI?

Leave a Comment