1

In Python I want to select a specific value from a dynamic column and wonder, if I can do that using a parameterized statement without using SQLAlchemy - the one below gives me the variable output, not the content of the cell in SQL. If I replace the variable ":map_scenario" behind the "Select" and make it static, it gives me the value from the cell - so it has to have something to do with the variable usage here:

self.c.execute("select :map_scenario FROM map_config WHERE map_alias=:sqlmap_alias", {'map_scenario': val_gamemode, 'sqlmap_alias': val_map_alias_result})

Any ideas to where I have a wrong concept, are highly appreciated - searching didn't give me a hint, although I tried it with the masking "?" and "%s" - all the same?

Guess SQL doesn't support this kind of injection, so I would have to build the query before I send it for execution, right?

Improve this question

1 Answer 1

Reset to default
1

Got it, had to create the SQL statement outside the query and then put it in:

val_map_alias_result = (str(val_map_alias[0]))
        query = ("select " + val_gamemode + " FROM map_config WHERE map_alias=:sqlmap_alias")

That works perfectly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.