cursor.execute(query, params) error while trying to set table name #94
Description
I'm trying to dynamically set the table name on my queries. To avoid SQL Injection I'm using the option curso.execute(query, params).
When I try to set the table name I get the error:
[PARSE_SYNTAX_ERROR] Syntax error at or near ''my_table_name''(line 1, pos 14)
== SQL ==
SELECT * FROM 'my_table_name'
--------------^^^
To reproduce:
with sql.connect(server_hostname=self.hostname, http_path=self.path, access_token=self.token) as connection:
with connection.cursor() as cursor:
cursor.execute("SELECT * FROM %(table_name)s", {"table_name": "my_table_name"})
result = cursor.fetchall()
for row in result:
print(row)
It seems the table name can't have quotes. Only way I can do this is with:
cursor.execute("SELECT * FROM {}".format("my_table_name"))
Or other unsafe string substitution.
Am I doing something wrong?