Search code examples
pythonsqlitesqlparameter

How to use SQL parameters


I'm trying to create a database for a simple game I'm making and having an issue with querying it for the players stats. So far the database can be searched and updated, but only by modifying the actual code can the search terms be changed.

The entire code so far (apologies for any indentation errors):

# Importing modules
import sqlite3

# Creating database
base_db = sqlite3.connect("D:\\FILEPATH\\base_db")

# Creating  cursor object
global cur
cur = base_db.cursor()

# Creating players table with username etc. attributes
cur.execute("""
            CREATE TABLE IF NOT EXISTS players
            (username, password, score)
            """)
base_db.commit()


# Inserts some example data
def populate_db():
    print("Populating database")
    example_data = [("John Smith", "Password", 10)]
    cur.executemany("""
                    INSERT INTO players
                    VALUES (?, ?, ?)""",
                    example_data)
    base_db.commit()


# Clears database
def clear_db():
    print("Clearing database")
    command = ("""
                DELETE FROM players
               """)
    cur.execute(command)
    base_db.commit()


# Function that (only) updates the database
def update_db(mode, name):
    if mode is "score":
        print("Updating scores")
        print("Finding", name)
        command = ("""
                    UPDATE players
                    SET score = '0'
                    WHERE username = 'John Smith'
                    """)
        cur.execute(command)
    base_db.commit()


# Function that (only) retrieves data from the database
def retrieve_db(mode, name):
    # Returns value of player's score
    if mode is "score":
        print("Retrieving scores")
        print("Finding", name)
        command = ("""
                    SELECT score FROM players
                    WHERE username = 'John Smith'
                    """)
        return cur.execute(command).fetchone()[0]

# Returns tuple of username and password
elif mode is "login":
    print("Retrieving login details")
    print("Finding", name)
    command = ("""
                SELECT username, password FROM players
                WHERE username = 'John Smith'
               """)
    return cur.execute(command).fetchone()[0:2]
base_db.commit()

# Testing results
populate_db()

print(retrieve_db("score", "John Smith"))  # Expected result is 10
print(retrieve_db("login", "John Smith"))  # Expected result is ('John Smith, 'Password')

clear_db()

And the section I'm trying to get a solution for:

# Function that (only) retrieves data from the database
def retrieve_db(mode, name):
    # Returns value of player's score
    if mode is "score":
        print("Retrieving scores")
        print("Finding", name)
        command = ("""
                    SELECT score FROM players
                    WHERE username = 'John Smith'
                    """)
        return cur.execute(command).fetchone()[0]

Instead of WHERE username = 'John Smith', I would like a solution for passing the name parameter into this command instead, so whatever the name parameter is becomes the term being searched for.

I found a similar example here (Searching SQLite Database with Python Variables) but I'm stuck on how to implement the (?), (variable) idea into this block of code.

What I've tried so far:

    command = ("""
                SELECT score FROM players
                WHERE username = VALUES (?)""", name)

    command = ("""
                SELECT score FROM players
                WHERE username VALUES (?)""", name)

Any help you could give is very much appreciated. Thanks in advance.

For future reference the final working version I got was:

    command = ("""
                SELECT score FROM players
                WHERE username = ?
                """)
    return cur.execute(command, name).fetchone()[0]

Where the name was supplied as ['John Smith'] when the function was called.


Solution

  • VALUES is a required part of the INSERT statement.

    A parameter marker (?) just replaces the value itself:

        command = ("""
                    SELECT score FROM players
                    WHERE username = ?
                    """)
        params = ['John Smith']
        return cur.execute(command, params).fetchone()[0]