Yes, good point -- placeholders are for values, not table and field names. Anyway, you can just do the replacement in Python:
query = 'select * from %s' % tablename Of course, beware that this can be a security problem if you can't trust the source of "tablename". Anthony On Friday, November 20, 2015 at 3:08:43 AM UTC-5, Pierre wrote: > > placeholders seems to work as long as the argument to be passed to query > aren't a table_name > > Is the "style of code" in test() dangerous ? (sql intrusion) > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
