60

I'm working on a project right now that catalogs data from a star simulation of mine. To do so I'm loading all the data into a sqlite database. It's working pretty well, but I've decided to add a lot more flexibility, efficiency, and usability to my db. I plan on later adding planetoids to the simulation, and wanted to have a table for each star. This way I wouldn't have to query a table of 20m some planetoids for the 1-4k in each solar system.

I've been told using string constructors is bad because it leaves me vulnerable to a SQL injection attack. While that isn't a big deal here as I'm the only person with access to these dbs, I would like to follow best practices.

Currently I'm doing this:

cursor.execute("CREATE TABLE StarFrame"+self.name+" (etc etc)")

This works, but I would like to do something more like:

cursor.execute("CREATE TABLE StarFrame(?) (etc etc)",self.name)

though I understand that this would probably be impossible. though I would settle for something like

cursor.execute("CREATE TABLE (?) (etc etc)",self.name)

Is it possible to use a variable as your table name without having to use string constructors to do so?

mkrieger1
24.2k7 gold badges68 silver badges84 bronze badges
asked Jul 14, 2010 at 14:34

10 Answers 10

61

Unfortunately, tables can't be the target of parameter substitution (I didn't find any definitive source, but I have seen it on a few web forums).

If you are worried about injection (you probably should be), you can write a function that cleans the string before passing it. Since you are looking for just a table name, you should be safe just accepting alphanumerics, stripping out all punctuation, such as )(][;, and whitespace. Basically, just keep A-Z a-z 0-9.

def scrub(table_name):
 return ''.join( chr for chr in table_name if chr.isalnum() )
scrub('); drop tables --') # returns 'droptables'
answered Jul 14, 2010 at 15:10
Sign up to request clarification or add additional context in comments.

4 Comments

Personally, I'd throw an exception if such characters are seen instead. They must not be there, so something is wrong and I'd rather know about it.
-1; the details of this answer seem flawed. It's overly restrictive (not allowing, for instance, underscores in table names, which are fairly common) and, as @JanHudec has pointed out, if scrub() ever actually removes any characters, it's almost certainly going to have broken the query; that should cause an exception to be thrown immediately rather than waiting for query execution time to find out.
The issue is that parameters can only substitute in values, not other identifiers or general bits of SQL. That means that they're trivial to inject into the bytecoded version of the query. Substituting more generally would require recompiling the query (yes, even for just changing table or column names) so the SQLite engine says "no", and you need to do it in the outer language.
In my mind, the real question is why the end user has input into the names of tables used in the database. Perhaps there's a better way to normalize OP's database.
13

For people searching for a way to make the table as a variable, I got this from another reply to same question here:

It said the following and it works. It's all quoted from mhawke:

You can't use parameter substitution for the table name. You need to add the table name to the query string yourself. Something like this:

query = 'SELECT * FROM {}'.format(table)
c.execute(query)

One thing to be mindful of is the source of the value for the table name. If that comes from an untrusted source, e.g. a user, then you need to validate the table name to avoid potential SQL injection attacks. One way might be to construct a parameterised query that looks up the table name from the DB catalogue:

import sqlite3
def exists_table(db, name):
 query = "SELECT 1 FROM sqlite_master WHERE type='table' and name = ?"
 return db.execute(query, (name,)).fetchone() is not None
answered Jun 20, 2018 at 9:59

1 Comment

exists_table is a nice parameterized check when the table might exist; however it doesn't work so well in the OP's create table question...
9

I wouldn't separate the data into more than one table. If you create an index on the star column, you won't have any problem efficiently accessing the data.

answered Jul 14, 2010 at 15:11

5 Comments

I find that hard to believe. To the best of my knowledge sqlite runs through the table and checks to see if the value of the index i want and the value of the index of a star are the same. if they are it selects other wise it continues on and ignores it. That would me it would have to iterate through the couple million entries to find the info it needs. which from a processor stand point, isn't a big deal. but my hdd won't be able to keep up. <br/> also, that would me the addition of 8*(number of planetoids) bytes to the already large file. I don't like the sound of that.
You need to learn more about how SQLite and all relational databases work. They uses indexes to quickly find the rows you want. What you describe is called a "full table scan", and yes, it is horrible. But it can be easily avoided. People make tables with millions of rows all the time, and never have to incur the costs of full table scans.
ah. So this isn't like an identifier inside the actual data being stored? That makes more sense. and yes you are right. I do need to learn more. I can't argue that as I just started using sqlite about 3 weeks ago. >.<
The index is a separate structure apart from the rows in the table. You use a key and the index to quickly find the rows of interest.
If your table FRAME has a column named STAR, then you can tell SQLite to index it with: create index frame_star on frame (star); More here: sqlite.org/lang_createindex.html This isn't specific to SQLite, this is standard SQL, used by all relational databases.
0

Try with string formatting:

sql_cmd = '''CREATE TABLE {}(id, column1, column2, column2)'''.format(
 'table_name')
db.execute(sql_cmd)

Replace 'table_name' with your desire.

answered Jan 13, 2018 at 16:05

1 Comment

This is not recommended as it leaves you susceptible to SQL injection attacks.
-1

As has been said in the other answers, "tables can't be the target of parameter substitution" but if you find yourself in a bind where you have no option, here is a method of testing if the table name supplied is valid.
Note: I have made the table name a real pig in an attempt to cover all of the bases.

import sys
import sqlite3
def delim(s):
 delims="\"'`"
 use_delim = []
 for d in delims:
 if d not in s:
 use_delim.append(d)
 return use_delim
db_name = "some.db"
db = sqlite3.connect(db_name)
mycursor = db.cursor()
table = 'so""m ][ `etable'
delimiters = delim(table)
if len(delimiters) < 1:
 print "The name of the database will not allow this!"
 sys.exit()
use_delimiter = delimiters[0]
print "Using delimiter ", use_delimiter
mycursor.execute('SELECT name FROM sqlite_master where (name = ?)', [table])
row = mycursor.fetchall()
valid_table = False
if row:
 print (table,"table name verified")
 valid_table = True
else:
 print (table,"Table name not in database", db_name)
if valid_table:
 try:
 mycursor.execute('insert into ' +use_delimiter+ table +use_delimiter+ ' (my_data,my_column_name) values (?,?) ',(1,"Name"));
 db.commit()
 except Exception as e:
 print "Error:", str(e)
 try:
 mycursor.execute('UPDATE ' +use_delimiter+ table +use_delimiter+ ' set my_column_name = ? where my_data = ?', ["ReNamed",1])
 db.commit()
 except Exception as e:
 print "Error:", str(e)
db.close()
answered Oct 17, 2015 at 8:38

6 Comments

What if my table is called my table? It's perfectly valid_table, but your UPDATE would fail.
@har-wradim Yes! You are absolutely correct. If you decided to use a table name containing spaces, just as field names containing spaces in sqlite are valid but you wouldn't use them unless you wanted a world of pain.
I just wanted to stress that your solution doesn't address the question. A table may be present in the database and bear an inconvenient name at the same time.
No, this is not a solution. Tables are allowed to have any names (yes, they can include quotation marks, brackets, be identical to key words and be Bobby-Table-like) - space was just an example. See e.g. this blog
@har-wradim Edited again, to use double quotes as per blog.christosoft.de/2012/10/sqlite-escaping-table-acolumn-names
|
-1

you can use something like this conn = sqlite3.connect() createTable = '''CREATE TABLE %s (# );''' %dateNow) conn.execute(createTable)

basically, if we want to separate the data into several tables according to the date right now, for example, you want to monitor a system based on the date.

createTable = '''CREATE TABLE %s (# );''' %dateNow) means that you create a table with variable dateNow which according to your coding language, you can define dateNow as a variable to retrieve the current date from your coding language.

1 Comment

Thank you for this code snippet, which might provide some limited, immediate help. A proper explanation would greatly improve its long-term value by showing why this is a good solution to the problem and would make it more useful to future readers with other, similar questions. Please edit your answer to add some explanation, including the assumptions you’ve made.
-1

To avoid hard-coding table names, I've used:

table = "sometable"
c = conn.cursor()
c.execute('''CREATE TABLE IF NOT EXISTS {} (
 importantdate DATE,
 somename VARCHAR,
 )'''.format(table))
c.execute('''INSERT INTO {} VALUES (?, ?)'''.format(table),
 (datetime.strftime(datetime.today(), "%Y-%m-%d"),
 myname))
answered Nov 5, 2020 at 14:32

1 Comment

This is just another way of inserting a string in a string. You missed the point of the OP, which was to avoid SQL injection risks. If an attacker controls the table string in your example, they could set it to sometable (something)); DROP TABLE myTableName; -- (or even simpler) and you would be in for a lot of hurt.
-1

You can save your query in a .sql or txt file and use the open().replace() method to use variables in any part of your query. Long time reader but first time poster so I apologize if anything is off here.

```SQL in yoursql.sql```
Sel *
From yourdbschema.tablenm
```SQL to run```
tablenm = 'yourtablename'
cur = connect.cursor() 
query = cur.execute(open(file = yoursql.sql).read().replace('tablenm',tablenm))

answered Mar 23, 2021 at 18:12

1 Comment

This is just another (relatively complex in this case) way of inserting a string in a string. You missed the point of the OP, which was to avoid SQL injection risks. If an attacker controls the tablenm string in your example, they could set it to myTableName; DROP TABLE myTableName; -- and you would be in for a lot of hurt.
-1

What about f-Strings, much more readable.

table = "myTableName"
condition = "ID = 5"
sql = f'''SELECT * FROM {table} WHERE {condition}'''
answered May 25, 2023 at 15:27

1 Comment

While this is slightly more readable than concatenating with +, you missed the point of the OP, which was to avoid SQL injection risks. If an attacker controls the table string in your example, they could set it to myTableName; DROP TABLE myTableName; -- and you would be in for a lot of hurt. This is also why we would also use bindings in place of {condition} in your example code.
-4

You can pass a string as the SQL command:

import sqlite3
conn = sqlite3.connect('db.db')
c = conn.cursor()
tablename, field_data = 'some_table','some_data'
query = 'SELECT * FROM '+tablename+' WHERE column1=\"'+field_data+"\""
c.execute(query)
answered Jul 1, 2016 at 23:38

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.