In [22]:
import sqlite3

Create DB

In [23]:
# database represented as a 'connection'
# new database is created if it does not exist on given name
con = sqlite3.connect("example.db")

Database interface is called 'cursor'

In [24]:
cur = con.cursor()

The cursor allows us to interact with the database using SQL

In [25]:
cur.execute("CREATE TABLE movie (title, year, score)")


<sqlite3.Cursor at 0x7fb531180260>

Add data:

In [26]:
cur.execute("""
    INSERT INTO movie VALUES
        ('Monty Python and the Holy Grail', 1975, 8.2),
        ('And Now for Something Completely Different', 1971, 7.5)
""")
con.commit() # changes must be committed

Query data:

In [27]:
res = cur.execute("SELECT * FROM movie")
res.fetchall()

[('Monty Python and the Holy Grail', 1975, 8.2),
 ('And Now for Something Completely Different', 1971, 7.5)]

You can also add multiple rows using a one-liner:

In [28]:
data = [
    ("Monty Python Live at the Hollywood Bowl", 1982, 7.9),
    ("Monty Python's The Meaning of Life", 1983, 7.5),
    ("Monty Python's Life of Brian", 1979, 8.0),
]
cur.executemany("INSERT INTO movie VALUES(?, ?, ?)", data)
con.commit()

Notice that ? placeholders are used to bind data to the query. Always use placeholders instead of string formatting to bind Python values to SQL statements, to avoid SQL injection attacks.

What is an SQL injection attack? Consider the following:

In [29]:
# let's imagine we ask a user for their information. Instead
# they give us the following data:
row = "('dmbfkl', 1,1);DROP TABLE movie"

cur.executescript(f"INSERT INTO movie VALUES {row}")

<sqlite3.Cursor at 0x7fb531180260>

The 'DROP TABLE' injection has destroyed the table

In [30]:
try:
    cur.execute("SELECT * FROM movie")
except Exception as e:
    print(e)


no such table: movie
