Avoid SQL injection using st.connection to execute a query

I am connecting to my snowflake data base with:

conn = st.connection()

Then I am running conn.cursor().execute(“select * from %s”, (“table”,)) to parameterize my query as snowflake recommends here: Using the Python Connector | Snowflake Documentation

I’ve tried this with %s, ?, %(table)s and nothing works. Does the streamlit connection support this?

No, you need to pass at least a name argument to st.connection.

I did. Like I said, it’s not working for me.

What does it do instead of working?

When I do

cursor.execute(“SELECT * FROM %s;”, (“my_table”,)) I see:

E. snowflake.connector.errors.ProgrammingError: 001003 (42000): SQL compilation error:
E syntax error line 1 at position 14 unexpected ‘%’.

cursor.execute(“SELECT * FROM my_table;”) does work though

I didn’t realize you were trying to bind the table name. I don’t think you can do that. I am certain it cannot be done with SQLite.