I am using the ODBC Driver 17 for SQL Server and pyodbc. The following code does not work.
cursor.execute("""DROP TABLE IF EXISTS ?""", "table_name")
What is the problem?
One possibility might be to use an anonymous code block that employs the QUOTENAME function to ensure that the string you pass is treated as a complete table name:
# this table name could be problematic if QUOTENAME wasn't used
tbl_name = "]; TRUNCATE TABLE Customer; --"
sql = """\
SET NOCOUNT ON;
DECLARE @drop NVARCHAR(max);
SET @drop = 'DROP TABLE IF EXISTS ' + QUOTENAME(?);
EXEC sp_executesql @drop;
"""
crsr.execute(sql, tbl_name)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.