I'm trying to replace some of my string insertions with parameters. So I have this code that executes the query:
cursor.execute("DELETE FROM %s WHERE COL=%s" % ("tablename","column"))
I can replace it with
cursor.execute("DELETE FROM tablename WHERE COL=?" , ("column"))
But I want my tablename to be in a variable. How can I protect insertion of a variable for a table from sql injections?
Aucun commentaire:
Enregistrer un commentaire