Question: Is it possible to use a variable as your table name w/o having to use string constructors to do so?
cursor.execute("CREATE TABLE StarFrame"+self.name+" (etc etc)")
cursor.execute("CREATE TABLE StarFrame(?) (etc etc)",self.name)
cursor.execute("CREATE TABLE (?) (etc etc)",self.name)
Unfortunately, tables can't be the target of parameter substitution (I didn't find any definitive source, but I have seen it on a few web forums).
If you are worried about injection (you probably should be), you can write a function that cleans the string before passing it. Since you are looking for just a table name, you should be safe just accepting alphanumerics, stripping out all punctuation, such as
)(][;, and whitespace. Basically, just keep
A-Z a-z 0-9.
def scrub(table_name): return ''.join( chr for chr in table_name if chr.isalnum() ) scrub('); drop tables --') # returns 'droptables'