Databricks Community

JameDavi_51481 · Tuesday

I would like to use parametrized sql queries to run SET TAGs commands on tables, but cannot figure out how to parameterize the query to prevent SQL injection. Both the `?` and `:key` parameter syntaxes throw a syntax error

Basically, I'd like to do this, but without string formatting so I can protect against SQL injection. Is there a way to do this?

tags = ", ".join(list_of_tags)
spark.sql(
    f"ALTER TABLE IDENTIFIER(:table) SET TAGS {tags}",
    args={"table": table_name},
)

Note: the above isn't even valid syntax - once I add the IDENTIFIER clause, ANY FORM of SET TAGS following it will fail.

Advika · 12m ago

Hello @JameDavi_51481!

PySpark does not fully support parameterised queries for ALTER TABLE SET TAGS (a DDL Command). You can use IDENTIFIER(:table) to safely pass the table name, but for the tags, placeholders like ? or :key doesn’t seem to work. From what I understand, you’d need to manually format the tags before including them in the query. A safer way might be to validate them against a predefined list and then format them properly as a comma separated string. While it’s not fully parameterised, this should help mitigate SQL injection risks.

Databricks Community

parameterized ALTER TABLE SET TAGS

Photos

Connect with Databricks Users in Your Area

Share Your Thoughts on Databricks & Get Rewarded!

Get Started With Lakehouse Architecture | Pass a quiz to earn your certificate completion.

Databricks Community Champion - February 2025 - Stefan Koch

Virtual Learning Festival: 9 April - 30 April

Data + AI Summit 2025 — registration now open!