From: MRAB on
Victor Subervi wrote:
> Hi;
> I have the following code:
>
> cursor.execute('select MyTable from optionsDetails where Store=%s',
> (store,))
> options_tables = [item[0] for item in cursor]
> for table in options_tables:
> cursor.execute('select * from %' % table)
>
Should be:

'select * from %s' % table

Details! :-)

> You can already see what my question is. One of y'all said it's possible
> under certain conditions to use the % without risking attack. Now is
> when I need to know how to do that. Please advise.
>
It's safe when there's no way that the value you're putting in can come
from the user.

Here you're taking it from the 'optionsDetails' table. Can the user add,
alter or delete that entry in any way?
From: John Nagle on
On 7/16/2010 7:39 AM, MRAB wrote:
> Victor Subervi wrote:
>> Hi;
>> I have the following code:
>>
>> cursor.execute('select MyTable from optionsDetails where Store=%s',
>> (store,))
>> options_tables = [item[0] for item in cursor]
>> for table in options_tables:
>> cursor.execute('select * from %' % table)

As has been explained to you repeatedly, you're doing it wrong.

You don't use a relational database to get a field which leads to
another table. Put the options in one table keyed by Store.

Go buy a copy of "Databases for Dummies":

http://www.amazon.com/Intranet-Databases-Dummies-Paul-Litwin/dp/0764502212


John Nagle