Avoid SQL injection using st.connection to execute a query

Silvia_Orozco · March 13, 2024, 8:51pm

I am connecting to my snowflake data base with:

conn = st.connection()

Then I am running conn.cursor().execute(“select * from %s”, (“table”,)) to parameterize my query as snowflake recommends here: Using the Python Connector | Snowflake Documentation

I’ve tried this with %s, ?, %(table)s and nothing works. Does the streamlit connection support this?

Goyo · March 13, 2024, 9:21pm

No, you need to pass at least a name argument to st.connection.

Silvia_Orozco · March 13, 2024, 9:49pm

I did. Like I said, it’s not working for me.

Goyo · March 14, 2024, 7:56am

What does it do instead of working?

Silvia_Orozco · March 14, 2024, 6:45pm

When I do

cursor.execute(“SELECT * FROM %s;”, (“my_table”,)) I see:

E. snowflake.connector.errors.ProgrammingError: 001003 (42000): SQL compilation error:
E syntax error line 1 at position 14 unexpected ‘%’.

cursor.execute(“SELECT * FROM my_table;”) does work though

Goyo · March 14, 2024, 7:00pm

I didn’t realize you were trying to bind the table name. I don’t think you can do that. I am certain it cannot be done with SQLite.

system · September 10, 2024, 7:00pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue switching from snowpark connection to snowflake connection Streamlit and Snowflake debugging	4	769	December 28, 2024
How to execute a query in streamlit Using Streamlit	7	5890	March 26, 2024
Having trouble passing secrets to connection for Snowflake Using Streamlit snowflake	4	1601	May 19, 2024
Experimental_connection issue Streamlit and Snowflake	5	930	July 31, 2023
Unable to connect to snowpark Using Streamlit streamlit-cloud	2	1308	May 3, 2023