<p><img src="images/1line.png" width=100%/></p>
<ul>
<li>Usually your SQL operations will need to use values from Python variables.</li>
<li>In the preceding&nbsp; examples we have been using <strong>parameterized</strong> queries instead of simply embedding the variables directly in the query string (using string concatenation or string formatting).</li>
<li>&nbsp;When we use parameterized queries, we use placeholders instead of directly writing the values into the statements.</li>
<li>Parameterized queries increase security and performance.</li>
<li>The Python<span>&nbsp;</span><code>sqlite3</code><span>&nbsp;</span>module supports two types of placeholders: question marks and named placeholders.</li>
</ul>
<h3>Parameterized statements with question marks</h3>
<ul>
<li>In the first example we use the syntax of question marks.</li>
</ul>
<pre class="code">import sqlite3

uId = 1
uPrice = 62300

conn = sqlite3.connect('test.sqlite')
cur = conn.cursor()<br /><br />cur.execute("UPDATE cars SET price=? WHERE id=?", (uPrice, uId))<br /><br />print("Number of rows updated:", cur.rowcount)<br />print(cur.execute('SELECT * FROM cars WHERE id=?', [uId]).fetchone())<br /><br />conn.commit()<br />conn.close()<br />
</pre>
<ul>
<li>We update a price of one car. In this code example, we use the question mark placeholders.</li>
</ul>
<pre class="explanation">cur.execute("UPDATE cars SET price=? WHERE id=?", (uPrice, uId))
</pre>
<ul>
<li>The question marks<span>&nbsp;</span><code>?</code><span>&nbsp;</span>are placeholders for values. The values are added to the placeholders.</li>
</ul>
<ul>
<li>The<span>&nbsp;</span><code>rowcount</code><span>&nbsp;</span>property returns the number of updated rows. In our case one row was updated.</li>
</ul>
<h3>Parameterized statements with named placeholders</h3>
<p>The second example uses parameterized statements with named placeholders.</p>
<div class="codehead">named_placeholders.py</div>
<pre class="code">import sqlite3

uId = 4

conn = sqlite3.connect('test.sqlite')

cur = conn.cursor()
cur.execute("SELECT name, price FROM cars WHERE Id=:Id", {"Id": uId})

row = cur.fetchone()
print(row[0], row[1])
</pre>
<ul>
<li>We select a name and a price of a car using named placeholders.</li>
</ul>
<pre class="explanation">cur.execute("SELECT name, price FROM cars WHERE Id=:Id", {"Id": uId})
</pre>
<ul>
<li>The named placeholders start with a colon character.</li>
</ul>
<h2 id="security-and-injection-attacks">Security and injection attacks</h2>
<ul>
<li>The reason you shouldn&rsquo;t assemble your query using Python&rsquo;s string operations because it is insecure; it makes your program vulnerable to an SQL injection attack.</li>
<li>For example, if our database would be part of a web application, it would allow hackers to directly communicate with the database in order to bypass login and password verification and steal data.</li>
<li>For example:</li>
</ul>
<div class="highlight-python3" style="position: relative;">
<div class="highlight">
<pre><span class="c1"># Never do this -- insecure!</span>
uId = 4
<span class="n">cur</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"SELECT * FROM cars WHERE id = </span><span class="si">%s</span><span class="s2">"</span> <span class="o">%</span> uId<span class="p">)</span>

<span class="c1"># Do this instead</span>
uId = 4
<span class="n">cur</span><span class="o">.</span><span class="n">execute</span><span class="p">('SELECT * FROM cars WHERE id=?', [uId])</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">cur</span><span class="o">.</span><span class="n">fetchone</span><span class="p">())</span></pre>
</div>
</div>



<hr><h3>References</h3>
<p>Python and SQLite, ZetCode <a href="https://zetcode.com/python/sqlite/" target="_blank" rel="noopener">https://zetcode.com/python/sqlite/</a></p>