Carsten Haese wrote: > On Thu, 2007-10-11 at 15:14 +0200, Florian Lindner wrote: >> Hello, >> I have a function that executes a SQL statement with MySQLdb: >> >> def executeSQL(sql, *args): >> print sql % args >> cursor = conn.cursor() >> cursor.execute(sql, args) >> cursor.close() >> >> it's called like that: >> >> sql = "INSERT INTO %s (%s) VALUES (%s)" >> executeSQL(sql, DOMAIN_TABLE, DOMAIN_FIELD, domainname) > > You can't use parameter binding to substitute table names and column > names, or any other syntax element, into a query. You can only bind > parameters in places where a literal value would be allowed (more or > less, the real rules are more complicated, but this rule of thumb gets > you close enough). You have to construct the query string like this, for > example: > > sql = "INSERT INTO "+DOMAIN_TABLE+"("+DOMAIN_FIELD+") VALUES (%s)" > executeSQL(sql, domainname)
Ok, I understand it and now it works, but why is limitation? Why can't I just the string interpolation in any playes and the cursor function escapes any strings so that they can't do harm to my query? Regards, Florian -- http://mail.python.org/mailman/listinfo/python-list