0

We all know the story of Bobby Tables and not to just use simple string interpolation with strings that come from users.

But what I'm wondering is whether it's OK to use string interpolation from my own hardcoded strings.

For example, I see no way this is dangerous, but I want to make sure. And if it is simply the wrong way to go about it for some non-security reason I'd like to know that, too.

table_dict = {'option1':'table_1','option2':'table_2'}

query_string = "SELECT * FROM {}".format(table_dict[string_from_front_end])

Obviously this is a far simpler example than what I intend to actually do -- my real query is much longer --, but my question is about that string interpolation.

  1. Is it safe?
  2. Is there a better way I should be doing this?
Improve this question
1
  • There isn't much you can do other than string interpolation with queries like this. Prepared statements cannot be used to dynamically specify table/column names. Commented Jun 21, 2017 at 16:11

1 Answer 1

Reset to default
1

As long as the query will never include user input, then it's fine.

Though I would recommend using an ORM where possible, as they are often written to handle string interpolation.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.