Can You Use Variable Table Names in SQLite Without String Constructors?

Variable Table Names in SQLite without String Constructors

In SQLite, can variable table names be used without resorting to vulnerable string constructors?

Background

Consider a project cataloging simulation data in a SQLite database. To improve efficiency and flexibility, tables are desired for each star to avoid querying a large table for a small subset of data. However, using string constructors for table names is discouraged due to SQL injection risks.

Question

Is it possible to use a variable as a table name without utilizing string constructors, akin to:

cursor.execute("CREATE TABLE (?) (etc etc)", self.name)

Answer

Unfortunately, SQLite does not allow parameter substitution for table names.

Mitigating SQL Injection

To address SQL injection concerns, consider implementing a function to sanitize table names before use:

def sanitize_table_name(table_name):
    return ''.join(char for char in table_name if char.isalnum())

This function cleans table names by removing special characters, such as punctuations and whitespaces, resulting in alphanumeric strings.

Example Usage

To use the sanitized table name:

sanitized_name = sanitize_table_name(self.name)
cursor.execute(f"CREATE TABLE StarFrame{sanitized_name} (etc etc)")

The above is the detailed content of Can You Use Variable Table Names in SQLite Without String Constructors?. For more information, please follow other related articles on the PHP Chinese website!