在 python 中使用 psycopg2 在参数化查询中输入字符串作为参数时出现问题

Question

Now I am trying to read sth from the database with parameterized query. To avoid SQL injection, I wrote the code as follows:

param = 'Peter'
column_name = 'employee.name'
table_name = 'employee'
param_query = 'SELECT * FROM %s WHERE %s = %s'

# Return outcome
cur.execute(param_query, [table_name, column_name, param])
outcome = cur.fetchall()

print(outcome)

And I got the following error:

psycopg2.errors.SyntaxError: syntax error at or near "'employee'"
LINE 1: SELECT * FROM 'employee' WHERE 'employee.name' = 'Peter'

As a beginner in database programming, I want to ask:

1. How can I get rid of those quotations from the query? Or do I make any mistake here?
2. Is this a good practise in preventing SQL injections? Or is it a good practise in writing a parameterized query like this?

Thank you for your help in advance!

Answer 1

Problem solved with the followings:

param = 'Peter'.lower()
column_name = AsIs('employee.name')
table_name = AsIs('employee')
param_query = 'SELECT * FROM %s WHERE %s = %s'

# Return outcome
cur.execute(param_query, [table_name, column_name, param])
outcome = cur.fetchall()