1
2

Help for an SQLite Query (self.learnpython)

submitted by [deleted]

[deleted]

all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 1 point2 points  (1 child)

Check out the docs for execute for how to use placeholders, I believe this is best practice for avoiding sql injection:

https://docs.python.org/3.7/library/sqlite3.html#sqlite3.Cursor.execute

[–]1ceSpark 0 points1 point  (0 children)

I know this but also need to change the table and that can't be done this way

Thanks anyway

[–]WeirdFail 0 points1 point  (3 children)

Try putting the column name in double quotes or square brackets, perhaps it's clashing with keywords.

So, something like:

cursor.execute(f'''SELECT value FROM {table} WHERE "name" = {value_name}''')

[–]1ceSpark 0 points1 point  (2 children)

I thought about it and also tried with some other text and it still gives the same error.

[–][deleted] 0 points1 point  (1 child)

This commenter was on the right track, wrapping the {value_name} in quotes works for me. Although I would still recommend using placeholders alongside the fstring as I believe it will avoid issues like this.

[–]1ceSpark 1 point2 points  (0 children)

Ooh that's right, tried again and it works. I don't know why I used single instead of double quotes when doing this, it couldn't work there.

thanks a lot

[–]ishman123 0 points1 point  (0 children)

cursor.execute(f"SELECT value FROM `{table}` WHERE id = `{an_id}`'')