If filename is `“:memory:”` then the database will be created in our RAM, not disk.

Each `commit` is also a history of the database. That means, if one change happened with error, then we can roll back to the last version of our commit.



In [6]:
import sqlite3

conn = sqlite3.connect("database.db")  # :memory: will store in RAM (temporary)
print(type(conn)) # Connection object

cursor = conn.cursor()
print(type(cursor)) # Cursor object (for sql code), manipulate the database

cursor.execute("""
    create table people (id integer primary key,
    name text,
    count interger)"""
)

cursor.execute("""
    insert into people (name, count) values (:username, :usercount)""", {"username":"Benny", "usercount":15}
)

conn.commit()
conn.close()



<class 'sqlite3.Connection'>
<class 'sqlite3.Cursor'>


A cursor in SQLite3 is an object which helps to execute the query and fetch the records from the database. After we invoke the function `cursor.execute()`, we can save the cursor object in a variable result, and then do:

`result.fetchall()` returns a list of tuples; each row of data in the database in stored in one tuple.

`result.fetchmany(n)` returns a list of the first nth tuples.

`result.fetchone()` returns a tuple of the first match for the SQL statement.


In [2]:
import sqlite3

conn = sqlite3.connect("database.db")
cursor = conn.cursor()

# result = cursor.execute("""
#     select * from people
# """)

# print(type(result)) # Cursor object

# print(result.fetchall())
# print(result.fetchmany(2))
# print(result.fetchone())

cursor.execute("""
    update people set count = :usercount where name = :username""", 
    {"usercount":60, "username":"Benny"}
)


result = cursor.execute("""
    select * from people
""")

print(result.fetchall())

conn.commit()
conn.close()

[(1, 'Benny', 60)]


# SQL Injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g., to dump the database contents to the attacker).

One of the most effective ways to prevent SQL injection is to use `parameterized queries`. We use parameters to give value when connecting and accessing the database rows.

The mechanism behind the parameterized query is that the `database management system doesn’t take the content of the parameters as parts of the SQL statement`; instead, it will `understand the SQL statement first, put the parameter in, and execute the statement.` Therefore, even though the parameter contains attacking commands, it won’t affect the query because the database already knows what the query will do.


In [None]:
# Prevent the input like:  '1 OR '1' = '1
 
conn = sqlite3.connect()
cursor = conn.cursor()

name = input("Type the name")
result = cursor.execute("""
    select * from people where name = :name """,
    {"name":name}
)

print(result.fetchall())

conn.close()
