This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author illume
Recipients eric.araujo, illume, loewis, petri.lehtinen
Date 2012-05-29.17:01:16
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1338310877.68.0.387881118334.issue11685@psf.upfronthosting.co.za>
In-reply-to
Content 
Hi,

Here is an article with people trying to find a solution:
http://stackoverflow.com/questions/6514274/how-do-you-escape-strings-for-sqlite-table-column-names-in-python

"The psycopg2 documentation explicitly recommends using normal python % or {} formatting to substitute in table and column names."

Sqlalchemy uses a format_table method with their sql compiler to quote table names for sqlite.

It's probably just sane to either use SQLalchemy, use ctypes to get at the sqlite mprintf function, or perhaps look at the above stackoverflow article for more solutions.

There is python code out there vulnerable to attack, that doesn't quote table names correctly.  Including at least one major python framework.  Hopefully people who care will follow some of the above links.

cheers,
History
Date User Action Args
2012-05-29 17:01:17illumesetrecipients: + illume, loewis, eric.araujo, petri.lehtinen
2012-05-29 17:01:17illumesetmessageid: <1338310877.68.0.387881118334.issue11685@psf.upfronthosting.co.za>
2012-05-29 17:01:17illumelinkissue11685 messages
2012-05-29 17:01:16illumecreate