Question:
Ensuring correct SQL syntax is a challenge when executing SQL queries using table names as parameters.
Solution:
psycopg2.sql module
According to the official documentation, psycopg2’s sql module provides a safe way to dynamically generate SQL queries. It introduces the following syntax:
<code>from psycopg2 import sql
cur.execute(sql.SQL("insert into {table} values (%s, %s)")
.format(table=sql.Identifier('my_table')),
[10, 20])</code>This approach ensures correct SQL syntax and eliminates the risk of injection attacks.
Note: The AsIs method should not be used to represent table or field names. Instead, use the sql module.
Safety Warning:
Pycopg2 strongly warns against using Python string concatenation or string parameter interpolation to pass variables to SQL queries, and highlights potential security vulnerabilities.
The above is the detailed content of How Can I Safely Pass a Table Name as a Parameter in psycopg2 SQL Queries?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
