Django raw sql format tablename

Question

I am trying to interpolate the tablename into a raw sql but it's interpolating a badly formatted string so the SQL query fails. I can't find a proper way of interpolating the string into the SQL query properyly:

from django.db import connection
cursor = connection.cursor()
cursor.execute("SELECT * from %s;", ['product'])

Throws:

django.db.utils.ProgrammingError: syntax error at or near "'product'"
LINE 1: SELECT * from 'product';

mechanical_meat · Accepted Answer · 2016-08-10T19:02:45.210

6

You can't pass table nor column names as parameter arguments. Instead do something like:

qry = "SELECT * from %s;" % 'product'
cursor.execute(qry)

While being mindful of the possibility of SQL-injection attack.

edited Aug 10 '16 at 19:02

answered Aug 10 '16 at 18:59

mechanical_meat

163,903
24
228
223

1

Ah great, and just for the record the query was `select %s from %s`. So it needs to be interpolated in 2 stages: `qry % ('%s', 'product')` – PepperoniPizza Aug 10 '16 at 19:02
Ah ok. Yeah I figure you didn't want `select *` – mechanical_meat Aug 10 '16 at 19:03
Why not just [quote](https://stackoverflow.com/a/42947632/52499) the table name in place of being mindful? – x-yuri Jan 04 '19 at 23:35
@PepperoniPizza How would I do this if I want a query like this: "SELECT * from %s WHERE group_id = %s;",[assembly_id, group_id]? – Agent Lu Jun 27 '19 at 21:21

Django raw sql format tablename

1 Answers1