Reputation: 1201
string interpolation in SQL query: dangerous and/or wrong? (python)
We all know the story of Bobby Tables and not to just use simple string interpolation with strings that come from users.
But what I'm wondering is whether it's OK to use string interpolation from my own hardcoded strings.
For example, I see no way this is dangerous, but I want to make sure. And if it is simply the wrong way to go about it for some non-security reason I'd like to know that, too.
table_dict = {'option1':'table_1','option2':'table_2'}
query_string = "SELECT * FROM {}".format(table_dict[string_from_front_end])
Obviously this is a far simpler example than what I intend to actually do -- my real query is much longer --, but my question is about that string interpolation.
- Is it safe?
- Is there a better way I should be doing this?
Upvotes: 0
Views: 2023
Answers (1)
Reputation: 1055
As long as the query will never include user input, then it's fine.
Though I would recommend using an ORM where possible, as they are often written to handle string interpolation.
Upvotes: 1
Related Questions
- Parameters vs String interpolation
- Python arguments inside triple quotes
- Why does my query break when it is parameterized?
- Database Query with dynamic parameters in python
- Construct SQL query string from list of values in efficient way in Python 3.7
- SQL Injection Prevention in Python - is using parameterized query enough?
- What do SQL queries Parameterized with '%s' look like?
- Parameterized sql queries and safety
- String Interpolation Causing MysqlDB Errors
- python-mysql : How to get interpolated query string?