[Psycopg] Wierd "ProgrammingError" with "E" string prefix
Harald Armin Massa
chef at ghum.de
Wed Mar 4 09:41:39 CET 2009
Tim,
>> cur.execute("DROP TABLE %s", (table_name,))
> Don't let psycopg do the quoting for table and field names. The
> automatic quoting is ONLY appropriate for field values. Just use the
> normal % operator:
> cur.execute("DROP TABLE %s" % table_name )
obviously this is the correct solution.
BUUUTTTT.... we all learned from xkcd (little droppi table) that using
string substitution to create SQL is a visit to the dark side.
So, my question: is there any sql-injection save way to dynamically
insert table-names into a SQL?
as in "select col1, col2, col3 from %(table)s where ..."
to make sure nobody inserts "correcttab; drop table students;" as name
for %(table)s ??
HArald
--
GHUM Harald Massa
persuadere et programmare
Harald Armin Massa
Spielberger Straße 49
70435 Stuttgart
0173/9409607
no fx, no carrier pigeon
-
LASIK good, steroids bad?
More information about the Psycopg
mailing list