SQL ORDERING not working in string formatting

Question

So I have this sql, which works:

cursor.execute('select * from video_title_difference where title like 
                %s order by provider desc limit %s offset %s', 
                ('%' + search + '%', limit, offset))

BUT if I change the ORDER BY variable (what is now 'provider') to a variable, it doesn't work at all:

cursor.execute('select * from video_title_difference where title like %s 
                order by %s limit %s offset %s', 
               ('%' + search + '%', order_by, limit, offset))

It 'works' but it doesn't order it at all. What am I doing wrong here?

score 2 · Answer 1 · edited May 23 '17 at 11:49

2

The problem is that you are trying to set a table as parameter.

table names cannot be parametrized.

My approach is to hard code the table name in the code, you need to understand that taking table name can result in a security problems especially if it comes from a user.

I'll add some posts regarding this issue:

post1, post2

edited May 23 '17 at 11:49

Community

1
1

answered Jan 27 '14 at 07:47

Kobi K

7,743
6
42
86

SQL ORDERING not working in string formatting

1 Answers1