Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Python Sqlite3 - Using f strings for update database function

I have my own personal database I made for fun (so not that concerned with sql injections as its my own private database I made) and am trying to change the functions I created that use string formatting (.format()) and placeholders (?, %s, etc) and use f strings instead. I ran into a problem where one of my functions that updates a specified column into a specified row won't run now that I changed the sqlite3 query to f strings.

This is my current function using f strings:

import sqlite3
from tabulate import tabulate
conn = sqlite3.connect("Table.db")
c = conn.cursor()

def updatedb(Column, Info, IdNum):  
    with conn:
        data = c.execute(f"UPDATE Table_name SET {Column} = {Info} WHERE IdNum={IdNum}")
        c.execute(f"SELECT * FROM Table_name WHERE IdNum = {IdNum}")
    print(tabulate(data, headers="keys", tablefmt="grid", stralign='center', numalign='center'))

The function updates the table by updating a specified column of a specified row with the new info you want in that column. For example in a 3 x 3 table, instead of row 1, column 2 being 17, I can use the function to update row 1, column 2 to 18 if that column is an age or something. The select query after that is to just select that particular row that was updated and the print statement after that uses the tabulate package to print out a neat and organized table.

The error I get whenever I try to use this function is:

sqlite3.OperationalError: no such column: Info

Whatever I type in for the Info variable in the function is what the error becomes but I can't figure out how to fix the problem.

This is the update statement I had before attempting to change to f strings and it worked fine for me:

data = c.execute("UPDATE Table_name SET {} = ? WHERE IdNum=?".format(Column), (Info, IdNum))

It didn't seem like to would be that big of a change to change the above query to a f string but it isn't working so any feedback would be appreciated.

like image 620
Cooper Avatar asked Jul 12 '18 19:07

Cooper


People also ask

How do you use F in a string Python?

To use formatted string literals, begin a string with f or F before the opening quotation mark or triple quotation mark in a print() statement. Inside this string, you can write a Python expression between { } characters that can refer to variables or literal values.

How do you update a column in SQLite Python?

Syntax: UPDATE table_name SET column1 = value1, column2 = value2,… WHERE condition; In the above syntax, the SET statement is used to set new values to the particular column, and the WHERE clause is used to select the rows for which the columns are needed to be updated.

Should I use F-strings in Python?

As of Python 3.6, f-strings are a great new way to format strings. Not only are they more readable, more concise, and less prone to error than other ways of formatting, but they are also faster! By the end of this article, you will learn how and why to start using f-strings today.


1 Answers

The problem here is understanding parameterization - it works only for parameters, not for column names and other stuff.

in this example:

 query = 'SELECT * FROM foo WHERE bar = ? AND baz = ?'
 params = (a, b)
 cursor.execute(query, params)

Note that the query and the data are passed separately to .execute - it is the database's job to do the interpolation - that frees you from quote hell, and makes your program safer by disabling any kind of sql injection. It also could perform better - it allows the database to cache the compiled query and use it when you change parameters.

Now that only works for data. If you want to have the actual column name in a variable, you have to interpolate it yourself in the query:

 col1 = 'bar'
 col2 = 'baz'
 query = f'SELECT * FROM foo WHERE {col1} = ? AND {col2} = ?'
 cursor.execute(query, params)
like image 50
nosklo Avatar answered Oct 14 '22 13:10

nosklo