2

I am trying to use string formatting with SQL. But while passing in variables, these are inserted with quotes and break the syntax.

Example

Here I am trying to pass in the table name to the function.

def see_results(cur, table):
    print("complete")
    cur.execute(''' SELECT * from %s ''', (table,))
    results = cur.fetchall()
    print(results)

Issue

If I pass "temp_yellow_pages" as argument the resulting query is: ''' SELECT * from "temp_yellow_pages" '''. This breaks.

I can't think of a way to assign anything to the variable table without using "'s as query = temp_yellow_pages would break as well.

Improve this question
5
  • 2
    You cannot pass the name of the table as a query parameter. You would have to insert it into the actual query string. Commented Jan 10, 2022 at 19:42
  • 1
    Depending on what library you are using, you might have something safer than f"SELECT * from {table}" available. Commented Jan 10, 2022 at 19:48
  • 2
    What if I set table to be table = "employee -- drop table employee" or some other "here be dragons" example of sql based on string concat? Commented Jan 10, 2022 at 19:48
  • 4
    psycopg2, for example, provides cur.execute(psycopg2.sql.SQL("select * from {}").format(sql.Identifier(table))). Note this isn't str.format, but a SQL.format method that knows about SQL syntax. Commented Jan 10, 2022 at 19:50
  • Thanks everyone. I figured that f-string literal might be the only way but was interested to see if there was some other common solution. Commented Jan 10, 2022 at 19:51

1 Answer 1

Reset to default
3

String building (prone to SQL injection)

What khelwood means:

def selectFrom(table):
    return 'SELECT * FROM ' + table


def see_results(cur, table):
    print("complete")
    cur.execute(selectFrom(table))
    results = cur.fetchall()
    print(results)

or even using f-strings cur.execute(f"SELECT * FROM {table}" directly.

But what if there is malicious input in passed argument table like an appended DROP or TRUNCATE statement (SQL injection)?

Query building (safer)

Using SQL capable libraries (SQL framework or database-frontend) like psycopg, you can build the SQL using safe methods which apply input-validation.

See the examples in module psycopg2.sql to compose an SQL-statement for a given table parameter.

from psycopg2 import sql

cur.execute(
    sql.SQL("SELECT * FROM {} WHERE values IN (%s, %s)")
        .format(sql.Identifier('my_table')),
    [10, 20])
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.