SQLite table name parameter

Question

I am trying to replace some of my string inserts with parameters. So I have this code that executes the request:

cursor.execute("DELETE FROM %s WHERE COL=%s" % ("tablename","column"))

I can replace it with

cursor.execute("DELETE FROM tablename WHERE COL=?" , ("column"))

But I want my scoreboard name to be in a variable. How to protect variable insertion for table from SQL injection?

+3

akalikin Jul 27. 15 at 14:45

1 answer

ezig · Answer 1 · 2015-07-27T15:30:52+0000

If your goal is to make sure the variable is a valid table name, you can get a list of table names using

SELECT name FROM sqlite_master WHERE type='table'

And then check if the variable from the config file matches one of the tables. This avoids hard-coding the list of tables.