Home >Database >Mysql Tutorial >How Can I Safely Pass a Table Name as a Parameter in psycopg2 SQL Queries?

How Can I Safely Pass a Table Name as a Parameter in psycopg2 SQL Queries?

Mary-Kate OlsenOriginal: 2025-01-12 11:21:46914browse

Passing table name as parameter in psycopg2

Question:

Ensuring correct SQL syntax is a challenge when executing SQL queries using table names as parameters.

Solution:

psycopg2.sql module

According to the official documentation, psycopg2’s sql module provides a safe way to dynamically generate SQL queries. It introduces the following syntax:

<code>from psycopg2 import sql

cur.execute(sql.SQL("insert into {table} values (%s, %s)")
    .format(table=sql.Identifier('my_table')),
    [10, 20])</code>

This approach ensures correct SQL syntax and eliminates the risk of injection attacks.

Note: The AsIs method should not be used to represent table or field names. Instead, use the sql module.

Safety Warning:

Pycopg2 strongly warns against using Python string concatenation or string parameter interpolation to pass variables to SQL queries, and highlights potential security vulnerabilities.

The above is the detailed content of How Can I Safely Pass a Table Name as a Parameter in psycopg2 SQL Queries?. For more information, please follow other related articles on the PHP Chinese website!

Python sql 字符串 table

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：What Makes a Valid SQLite Table Name?Next article：What Makes a Valid SQLite Table Name?

See more

How Can I Safely Pass a Table Name as a Parameter in psycopg2 SQL Queries?

Passing table name as parameter in psycopg2

Related articles