I have my own personal database I made for fun (so not that concerned with sql injections as its my own private database I made) and am trying to change the functions I created that use string formatting (.format()) and placeholders (?, %s, etc) and use f strings instead. I ran into a problem where one of my functions that updates a specified column into a specified row won't run now that I changed the sqlite3 query to f strings.
This is my current function using f strings:
import sqlite3
from tabulate import tabulate
conn = sqlite3.connect("Table.db")
c = conn.cursor()
def updatedb(Column, Info, IdNum):
with conn:
data = c.execute(f"UPDATE Table_name SET {Column} = {Info} WHERE IdNum={IdNum}")
c.execute(f"SELECT * FROM Table_name WHERE IdNum = {IdNum}")
print(tabulate(data, headers="keys", tablefmt="grid", stralign='center', numalign='center'))
The function updates the table by updating a specified column of a specified row with the new info you want in that column. For example in a 3 x 3 table, instead of row 1, column 2 being 17, I can use the function to update row 1, column 2 to 18 if that column is an age or something. The select query after that is to just select that particular row that was updated and the print statement after that uses the tabulate package to print out a neat and organized table.
The error I get whenever I try to use this function is:
sqlite3.OperationalError: no such column: Info
Whatever I type in for the Info variable in the function is what the error becomes but I can't figure out how to fix the problem.
This is the update statement I had before attempting to change to f strings and it worked fine for me:
data = c.execute("UPDATE Table_name SET {} = ? WHERE IdNum=?".format(Column), (Info, IdNum))
It didn't seem like to would be that big of a change to change the above query to a f string but it isn't working so any feedback would be appreciated.
The problem here is understanding parameterization - it works only for parameters, not for column names and other stuff.
in this example:
query = 'SELECT * FROM foo WHERE bar = ? AND baz = ?'
params = (a, b)
cursor.execute(query, params)
Note that the query and the data are passed separately to .execute - it is the database's job to do the interpolation - that frees you from quote hell, and makes your program safer by disabling any kind of sql injection. It also could perform better - it allows the database to cache the compiled query and use it when you change parameters.
Now that only works for data. If you want to have the actual column name in a variable, you have to interpolate it yourself in the query:
col1 = 'bar'
col2 = 'baz'
query = f'SELECT * FROM foo WHERE {col1} = ? AND {col2} = ?'
cursor.execute(query, params)