SQLite table name parameter
I am trying to replace some of my string inserts with parameters. So I have this code that executes the request:
cursor.execute("DELETE FROM %s WHERE COL=%s" % ("tablename","column"))
I can replace it with
cursor.execute("DELETE FROM tablename WHERE COL=?" , ("column"))
But I want my scoreboard name to be in a variable. How to protect variable insertion for table from SQL injection?
+3
source to share
1 answer