# Parameter Substitution and Placeholders

**Instead of directly manipulating the SQL string statement to include new inserts or updates (e.g. `format()` method), you can use PLACEHOLDERS in the string (`?`) to refer to PARAMETERS (values) that come from outside. It is an added level of security for database administration.**

**Using the contacts database, substitute insert new values with placeholders in the SQL statement linking to parameters.**

In [1]:
import sqlite3

In [4]:
db = sqlite3.connect('contacts/contacts.sqlite')

new_contact = ('Tony', 5678901, 'tony@email.com')
new_role = (5, 'Tony', 'Window Designer')

insert_sql = "INSERT INTO contacts (name, phone, email) VALUES(?, ?, ?)"

insert_cursor = db.cursor()

insert_cursor.execute(insert_sql, (new_contact[0], new_contact[1], new_contact[2]))

insert_cursor.connection.commit()

In [5]:
for name, phone, email in db.execute("SELECT * FROM contacts"):
    print(f"{name}: {phone} | {email}")

Shely: 1234567 | update@update.com
Ryan: 2345678 | new@email.com
Betty: 3456789 | betty@email.com
Jacinta: 4567890 | jacinta@email.com
Tony: 5678901 | tony@email.com


In [6]:
insert_cursor.close()

In [7]:
# Check again to see that new contact has been saved

for name, phone, email in db.execute("SELECT * FROM contacts"):
    print(f"{name}: {phone} | {email}")

Shely: 1234567 | update@update.com
Ryan: 2345678 | new@email.com
Betty: 3456789 | betty@email.com
Jacinta: 4567890 | jacinta@email.com
Tony: 5678901 | tony@email.com


**The incoming new input could be coming directly from a user, e.g. `input()` function. Placeholders add another level of security as the database can be automatically updated without anyone else needing to oversee.**

In [11]:
contact_name = input("Please enter your name: ")
new_phone = input("Please enter your new phone number: ")

update_sql = "UPDATE contacts SET phone=? WHERE name=?"

update_cursor = db.cursor()

update_cursor.execute(update_sql, (new_phone, contact_name))

update_cursor.connection.commit()

update_cursor.close()

Please enter your name: Shely
Please enter your new phone number: 01234566


In [12]:
for name, phone, email in db.execute("SELECT * FROM contacts"):
    print(f"{name}: {phone} | {email}")

Shely: 1234566 | update@update.com
Ryan: 2345678 | new@email.com
Betty: 3456789 | betty@email.com
Jacinta: 4567890 | jacinta@email.com
Tony: 5678901 | tony@email.com


**You can allow the user to see their own record:**

In [18]:
person = input("What is your name? ")

person_sql = "SELECT * FROM contacts WHERE name LIKE ?"

for row in db.execute(person_sql, (person, )):
    print(row)

What is your name? Tony
('Tony', 5678901, 'tony@email.com')


**Note that because the parameters are added in a tuple, single values must have following comma in order to make the argument into a tuple.**

In [19]:
db.close()