You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to dynamically set the table name on my queries. To avoid SQL Injection I'm using the option curso.execute(query, params).
When I try to set the table name I get the error:
[PARSE_SYNTAX_ERROR] Syntax error at or near ''my_table_name''(line 1, pos 14)
== SQL ==
SELECT * FROM 'my_table_name'
--------------^^^
To reproduce:
with sql.connect(server_hostname=self.hostname, http_path=self.path, access_token=self.token) as connection:
with connection.cursor() as cursor:
cursor.execute("SELECT * FROM %(table_name)s", {"table_name": "my_table_name"})
result = cursor.fetchall()
for row in result:
print(row)
It seems the table name can't have quotes. Only way I can do this is with:
cursor.execute("SELECT * FROM {}".format("my_table_name"))
I'm trying to dynamically set the table name on my queries. To avoid SQL Injection I'm using the option curso.execute(query, params).
When I try to set the table name I get the error:
To reproduce:
It seems the table name can't have quotes. Only way I can do this is with:
Or other unsafe string substitution.
Am I doing something wrong?