Escaping dynamic sqlite query?

Question

I'm currently building SQL queries depending on input from the user. An example how this is done can be seen here:

def generate_conditions(table_name,nameValues):
    sql = u""
    for field in nameValues:
        sql += u" AND {0}.{1}='{2}'".format(table_name,field,nameValues[field])
    return sql

search_query = u"SELECT * FROM Enheter e LEFT OUTER JOIN Handelser h ON e.Id == h.Enhet WHERE 1=1"

if "Enhet" in args:
    search_query += generate_conditions("e",args["Enhet"])
c.execute(search_query)

Since the SQL changes every time I cannot insert the values in the execute call which means that I should escape the strings manually. However, when I search everyone points to execute...

I'm also not that satisfied with how I generate the query, so if someone has any idea for another way that would be great also!

Answer 1

You have two options:

1. Switch to using SQLAlchemy; it'll make generating dynamic SQL a lot more pythonic and ensures proper quoting.

2. Since you cannot use parameters for table and column names, you'll still have to use string formatting to include these in the query. Your values on the other hand, should always be using SQL parameters, if only so the database can prepare the statement.

   It's not advisable to just interpolate table and column names taken straight from user input, it's far too easy to inject arbitrary SQL statements that way. Verify the table and column names against a list of such names you accept instead.

   So, to build on your example, I'd go in this direction:

   tables = {
       'e': ('unit1', 'unit2', ...),   # tablename: tuple of column names
   }
   
   def generate_conditions(table_name, nameValues):
       if table_name not in tables:
           raise ValueError('No such table %r' % table_name)
       sql = u""
       params = []
       for field in nameValues:
           if field not in tables[table_name]:
               raise ValueError('No such column %r' % field)
           sql += u" AND {0}.{1}=?".format(table_name, field)
           params.append(nameValues[field])
       return sql, params
   
   search_query = u"SELECT * FROM Enheter e LEFT OUTER JOIN Handelser h ON e.Id == h.Enhet WHERE 1=1"
   
   search_params = []
   if "Enhet" in args:
       sql, params = generate_conditions("e",args["Enhet"])
       search_query += sql
       search_params.extend(params)
   c.execute(search_query, search_params)