1

In Python I want to select a specific value from a dynamic column and wonder, if I can do that using a parameterized statement without using SQLAlchemy - the one below gives me the variable output, not the content of the cell in SQL. If I replace the variable ":map_scenario" behind the "Select" and make it static, it gives me the value from the cell - so it has to have something to do with the variable usage here:

self.c.execute("select :map_scenario FROM map_config WHERE map_alias=:sqlmap_alias", {'map_scenario': val_gamemode, 'sqlmap_alias': val_map_alias_result})

Any ideas to where I have a wrong concept, are highly appreciated - searching didn't give me a hint, although I tried it with the masking "?" and "%s" - all the same?

Guess SQL doesn't support this kind of injection, so I would have to build the query before I send it for execution, right?

asked Dec 4, 2020 at 14:19

1 Answer 1

1

Got it, had to create the SQL statement outside the query and then put it in:

val_map_alias_result = (str(val_map_alias[0]))
 query = ("select " + val_gamemode + " FROM map_config WHERE map_alias=:sqlmap_alias")

That works perfectly.

answered Dec 4, 2020 at 14:44
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.