Python MySQLdb execute table variable [duplicate]

By Posted on

Question :

Python MySQLdb execute table variable [duplicate]

I’m trying to use a variable for a table name. I get the error “… near ”myTable” at line 1
I must not be escaping this right. The double ” in the error seems to be a clue, but I don’t get it.

db = MySQLdb.connect("localhost","user","pw","database" )
table = "myTable"
def geno_order(db, table):
    cursor = db.cursor() # prepare a cursor object using cursor() method
    sql = "SELECT * FROM %s"
    cursor.execute(sql, table)
    results = cursor.fetchall()
Asked By: Jim Smith

||
Source

Answer #1:

You can’t use a parameter for the table name in the execute call. You’ll need to use normal Python string interpolation for that:

sql = "SELECT * FROM %s" % table
cursor.execute(sql)

Naturally, you’ll need to be extra careful if the table name is coming from user input. To mitigate SQL injection, validate the table name against a list of valid names.

Answered By: Daniel Roseman

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *