Executing raw SQL against SQLite with Django results in `DatabaseError: near “?”: syntax error`

Question

For example, when I use cursor.execute() as documented:

>>> from django.db import connection
>>> cur = connection.cursor()
>>         


        

Answer 1

You can't substitute metadata in parameterized queries.

Answer 2

You cannot use parameters in SQL statements in place of identifiers (column or table names). You can only use them in place of single values.

Instead, you must use dynamic SQL to construct the entire SQL string and send that, unparameterized, to the database (being extra careful to avoid injection if the table name originates outside your code).