I am not sure why bandit is notifying the below as 'Detected possible formatted SQL query. Use parameterized queries instead.':
conn.execute(f"DROP VIEW {view_name};")
Is there a way to parameterize the view_name? or concatenation is the only way forward to remove bandit flags here?
In SQL, you can't parameterize identifiers, only values. A view name is an identifier. A quoted string constant or numeric constant is a value.
It's more common to use application variables as values in a formatted SQL statement, so it's not surprising that your Bandit detection tool suggests to use parameters. But you can't do that in this case.
When making SQL statements with dynamic identifiers, the best you can do is to make sure your
view_namevariable is safe from SQL injection threats. That is, it contains no untrusted content. Either set it explicitly in your code, allowing no external content to be used, or else use some pattern-matching code to ensure it is a valid view name and nothing else.