Styjun

How does Captain America channel this power?

How come there are so many candidates for the 2020 Democratic party presidential nomination?

How to pronounce 'c++' in Spanish

Does tea made with boiling water cool faster than tea made with boiled (but still hot) water?

How can I get this effect? Please see the attached image

Critique of timeline aesthetic

Coordinate my way to the name of the (video) game

What does the integral of a function times a function of a random variable represent, conceptually?

Why does Mind Blank stop the Feeblemind spell?

Two field separators (colon and space) in awk

How did Captain America manage to do this?

Elements that can bond to themselves?

"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?

How to limit Drive Letters Windows assigns to new removable USB drives

Rivers without rain

Can I criticise the more senior developers around me for not writing clean code?

Implications of cigar-shaped bodies having rings?

Don’t seats that recline flat defeat the purpose of having seatbelts?

How exactly does Hawking radiation decrease the mass of black holes?

How would 10 generations of living underground change the human body?

Minor Revision with suggestion of an alternative proof by reviewer

What happens to Mjolnir (Thor's hammer) at the end of Endgame?

How to have a sharp product image?

What are the steps to solving this definite integral?

Can an arbitary column name be used in sqlite3 db?

Variable table name in sqliteWhat SQLite column name can be/cannot be?creating Tables and columns dynamically using mysql python connectorCalling a function of a module by using its name (a string)How can I safely create a nested directory in Python?How can I make a time delay in Python?Delete column from pandas DataFrame by column namesqlite3.OperationalError: near “,”: syntax errorSqlite3 & Python creating tablesHow to get columns' name from a table in sqlite3 database using python3?Error in IF NOT EXISTS sqlite3Error with Sqllite3 reading .sql filesqlite3.OperationalError: near “index”: syntax error

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I am trying to use ? to allow me to set arbitrary column names.

import sqlite3
conn = sqlite3.connect(':memory:')
c = conn.cursor()
c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))

But I got the following error. So it is not possible to use ? when creating tables?

Traceback (most recent call last):
 File "/tmp/main1.py", line 10, in <module>
 c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))
sqlite3.OperationalError: near "?": syntax error

python sqlite3

share|improve this question

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Possible duplicate of Variable table name in sqlite (table/column names are equivalent in relation to the question)
  
  – Alex K.
  Mar 22 at 17:35
  
  

  
  
  
  

add a comment | 

0

I am trying to use ? to allow me to set arbitrary column names.

import sqlite3
conn = sqlite3.connect(':memory:')
c = conn.cursor()
c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))

But I got the following error. So it is not possible to use ? when creating tables?

Traceback (most recent call last):
 File "/tmp/main1.py", line 10, in <module>
 c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))
sqlite3.OperationalError: near "?": syntax error

python sqlite3

share|improve this question

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Possible duplicate of Variable table name in sqlite (table/column names are equivalent in relation to the question)
  
  – Alex K.
  Mar 22 at 17:35
  
  

  
  
  
  

add a comment | 

I am trying to use ? to allow me to set arbitrary column names.

import sqlite3
conn = sqlite3.connect(':memory:')
c = conn.cursor()
c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))

But I got the following error. So it is not possible to use ? when creating tables?

Traceback (most recent call last):
 File "/tmp/main1.py", line 10, in <module>
 c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))
sqlite3.OperationalError: near "?": syntax error

python sqlite3

share|improve this question

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

import sqlite3
conn = sqlite3.connect(':memory:')
c = conn.cursor()
c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))

Traceback (most recent call last):
 File "/tmp/main1.py", line 10, in <module>
 c.execute("create table mytab (? text, ? real)", ('v1', 'v2'))
sqlite3.OperationalError: near "?": syntax error

share|improve this question

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

share|improve this question

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

asked Mar 22 at 17:30

user1424739user1424739

1,30041733

2 Answers
2

active

oldest

votes

0

try something like this instead?

"create table mytab ( text, real)".format('v1', 'v2')

share|improve this answer

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Hi! while this answer may solve OP's problem, it is discouraged to post code only answers on SO. Providing some explanation will help OP understand this solution better, while also contributing to SO's mission of providing quality solutions to future users of the site. Thanks!
  
  – d_kennetz
  Mar 22 at 17:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Does this allow arbitrary column names?
  
  – user1424739
  Mar 22 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what do you mean by arbitrary column names?
  
  – Yongkang Zhao
  Mar 22 at 18:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For example, a column name that contains any ASCII code (such as ESC).
  
  – user1424739
  Mar 22 at 20:38
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have no idea, but I found this page, and could be useful for you. check user35443's answer: stackoverflow.com/questions/3373234/…
  
  – Yongkang Zhao
  Mar 25 at 21:10
  

  
  
  
  

add a comment | 

0

The SQL parameter substitution is the solution SQL injection. It tries to separate the functional components (e.g. the keyword SELECT, the statement separator ;, etc) and data components (e.g. the number, strings, etc that are data that totally not related to the SQL function)

The point of parameter is to request to properly escape the input data if needed before passing on to the SQL engine, so data stays data, and functional components are functional components.

So you can do:

SELECT x FROM table_y WHERE z = ?

and pass on '""; DROP TABLE table_y' as parameter, and that is exactly a string to match. But you cannot do:

SELECT x FROM table_y WHERE ? = '""; DROP TABLE table_y'

and pass on 'z' as parameter and expect it to mean the same. Because when you pass in 'z', it is interpreted as string, not column name. Having this idea, you will see that the SQL on your example will only evolve into SQL syntax error.

share|improve this answer

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55304951%2fcan-an-arbitary-column-name-be-used-in-sqlite3-db%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

try something like this instead?

"create table mytab ( text, real)".format('v1', 'v2')

share|improve this answer

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Hi! while this answer may solve OP's problem, it is discouraged to post code only answers on SO. Providing some explanation will help OP understand this solution better, while also contributing to SO's mission of providing quality solutions to future users of the site. Thanks!
  
  – d_kennetz
  Mar 22 at 17:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Does this allow arbitrary column names?
  
  – user1424739
  Mar 22 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what do you mean by arbitrary column names?
  
  – Yongkang Zhao
  Mar 22 at 18:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For example, a column name that contains any ASCII code (such as ESC).
  
  – user1424739
  Mar 22 at 20:38
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have no idea, but I found this page, and could be useful for you. check user35443's answer: stackoverflow.com/questions/3373234/…
  
  – Yongkang Zhao
  Mar 25 at 21:10
  

  
  
  
  

add a comment | 

0

try something like this instead?

"create table mytab ( text, real)".format('v1', 'v2')

share|improve this answer

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Hi! while this answer may solve OP's problem, it is discouraged to post code only answers on SO. Providing some explanation will help OP understand this solution better, while also contributing to SO's mission of providing quality solutions to future users of the site. Thanks!
  
  – d_kennetz
  Mar 22 at 17:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Does this allow arbitrary column names?
  
  – user1424739
  Mar 22 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what do you mean by arbitrary column names?
  
  – Yongkang Zhao
  Mar 22 at 18:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For example, a column name that contains any ASCII code (such as ESC).
  
  – user1424739
  Mar 22 at 20:38
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have no idea, but I found this page, and could be useful for you. check user35443's answer: stackoverflow.com/questions/3373234/…
  
  – Yongkang Zhao
  Mar 25 at 21:10
  

  
  
  
  

add a comment | 

try something like this instead?

"create table mytab ( text, real)".format('v1', 'v2')

share|improve this answer

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

"create table mytab ( text, real)".format('v1', 'v2')

share|improve this answer

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

answered Mar 22 at 17:38

Yongkang ZhaoYongkang Zhao

428211

0

The SQL parameter substitution is the solution SQL injection. It tries to separate the functional components (e.g. the keyword SELECT, the statement separator ;, etc) and data components (e.g. the number, strings, etc that are data that totally not related to the SQL function)

The point of parameter is to request to properly escape the input data if needed before passing on to the SQL engine, so data stays data, and functional components are functional components.

So you can do:

SELECT x FROM table_y WHERE z = ?

and pass on '""; DROP TABLE table_y' as parameter, and that is exactly a string to match. But you cannot do:

SELECT x FROM table_y WHERE ? = '""; DROP TABLE table_y'

and pass on 'z' as parameter and expect it to mean the same. Because when you pass in 'z', it is interpreted as string, not column name. Having this idea, you will see that the SQL on your example will only evolve into SQL syntax error.

share|improve this answer

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

add a comment | 

0

The SQL parameter substitution is the solution SQL injection. It tries to separate the functional components (e.g. the keyword SELECT, the statement separator ;, etc) and data components (e.g. the number, strings, etc that are data that totally not related to the SQL function)

The point of parameter is to request to properly escape the input data if needed before passing on to the SQL engine, so data stays data, and functional components are functional components.

So you can do:

SELECT x FROM table_y WHERE z = ?

and pass on '""; DROP TABLE table_y' as parameter, and that is exactly a string to match. But you cannot do:

SELECT x FROM table_y WHERE ? = '""; DROP TABLE table_y'

and pass on 'z' as parameter and expect it to mean the same. Because when you pass in 'z', it is interpreted as string, not column name. Having this idea, you will see that the SQL on your example will only evolve into SQL syntax error.

share|improve this answer

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

add a comment | 

The SQL parameter substitution is the solution SQL injection. It tries to separate the functional components (e.g. the keyword SELECT, the statement separator ;, etc) and data components (e.g. the number, strings, etc that are data that totally not related to the SQL function)

The point of parameter is to request to properly escape the input data if needed before passing on to the SQL engine, so data stays data, and functional components are functional components.

So you can do:

SELECT x FROM table_y WHERE z = ?

and pass on '""; DROP TABLE table_y' as parameter, and that is exactly a string to match. But you cannot do:

SELECT x FROM table_y WHERE ? = '""; DROP TABLE table_y'

and pass on 'z' as parameter and expect it to mean the same. Because when you pass in 'z', it is interpreted as string, not column name. Having this idea, you will see that the SQL on your example will only evolve into SQL syntax error.

share|improve this answer

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

SELECT x FROM table_y WHERE z = ?

SELECT x FROM table_y WHERE ? = '""; DROP TABLE table_y'

share|improve this answer

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

answered Mar 22 at 17:51

adrtamadrtam

3,5151422

answered Mar 22 at 17:51

adrtamadrtam

3,5151422