pyodbc execute SQL code

Question

I am trying to use pyodbc cursor execute the right way to prevent injection attacks, as suggested here: what does ? mean in python pyodbc module

My code is as follows:

query = """\
SELECT 
    ?,count(*)
FROM 
    ?
WHERE 
    ?=?
""", ('date', 'myTable', 'date', '2017-05-08')
cursor.execute(query)

And I get an error:

TypeError: The first argument to execute must be a string or unicode query.

For the right answer I'd want to:

1. Keep the question mark format to avoid SQL injection attacks
2. Keep the triple quotes format so I can write long SQL queries and not loose code readability.

Is there a way to achieve this? I know I could use """ %s """ %('table') format type but that defeats the purpose of this question.

Answer 1

You have 2 issues:

1. query is a tuple. The way to execute a parameterized query is as follows:

   query = """SELECT ?,count(*)
              FROM ?
              WHERE ?=? """
   args = ('date', 'myTable', 'date', '2017-05-08')
   cursor.execute(query, args)
   

   You could pass query with *. This would expand query to a string and a tuple which is what execute expects:

   cursor.execute(*query)  # 'query' here is defined as it is in your example
   

2. But, that won't work. You can not use parameterized query to use parameters in the select and from clauses. You can also not use parameters for the column name in the where clause.

You (usually) don't have to worry about SQL injection if the value isn't inputted by the user (or if the user can't change it in anyway).