pysqlite: Placeholder substitution for column or table names?

You simply can not use placeholders for column or table names. I don't have a authoritative citation for this -- I "know" this only from having tried it and from failing. It makes some sense though:

• If the columns and table could be parametrized, there would be littlepurpose to preparing (execute-ing) the SQL statement before fetching, since all parts of the statement could bereplaced.
• I'm not sure about pysqlite¹, but MySQLdb automatically quotes allstring parameters. Column and table names should not be quoted. So itwould complicate the parsing required by the driver if it had todecide if a placeholder represented a column or table name versus avalue that needs quoting.

In short, you've found the right way -- use string formating.

c.execute('SELECT {} FROM {} WHERE id=?'.format(column, table), row))

¹ Not all drivers quote parameters -- oursql doesn't, since it sends SQL and arguments to the server separately.

As @unutbu answered, there is no way to use placeholders for table/column names. My suggestion to do what you are doing now, but to also quote the table names to protect yourself from a table or column that might have an odd name.

What does the SQL Standard say about usage of backtick(`)? already explains this to some extent, and in spite of the opinion in that answer, I would say that in your case, quoting is a good idea.