Steve Holden wrote:
> Jeff Elkins wrote:
>>... cursor.execute("SELECT name, month, day ,category, city "
>> " FROM bday WHERE %s = %s", (arg1,arg2))
>> No results. However, if I hardcode the WHERE argument with a field name:
>> cursor.execute("SELECT name, month, day ,category, city "
>> " FROM bday WHERE month = %s", (arg2,))
>> Works.
>>
> Because here you aren't trying to parameterize the name of a database
> object.
>
>> How can I code the left side of the WHERE clause so I can pass an
>> arbitrary field name to search on?
>>
>>
> You might have to construct the SQL statement to include the names of
> tables and columns. It's still better to use parameterization for data
> substitutions, though, because then you don't have to perform any quoting.
I'm sure Steve knows this, but for those wondering:
A database system will often produce an optimized execution plan
from the first argument (and cache that plan). The string had
better be good enough for the DBMS to determine how to best perform
the query. This means only data can be parameterized, not table or
field names). The query plan includes things like which indexes to
use and what tables to access in what order.
--Scott David Daniels
[EMAIL PROTECTED]
--
http://mail.python.org/mailman/listinfo/python-list
