I have my own personal database I made for fun (so not that concerned with sql injections as its my own private database I made) and am trying to change the functions I created that use string formatting (.format()) and placeholders (?, %s, etc) and use f strings instead. I ran into a problem where one of my functions that updates a specified column into a specified row won't run now that I changed the sqlite3 query to f strings.
This is my current function using f strings:
import sqlite3
from tabulate import tabulate
conn = sqlite3.connect("Table.db")
c = conn.cursor()
def updatedb(Column, Info, IdNum):
with conn:
data = c.execute(f"UPDATE Table_name SET {Column} = {Info} WHERE IdNum={IdNum}")
c.execute(f"SELECT * FROM Table_name WHERE IdNum = {IdNum}")
print(tabulate(data, headers="keys", tablefmt="grid", stralign='center', numalign='center'))
The function updates the table by updating a specified column of a specified row with the new info you want in that column. For example in a 3 x 3 table, instead of row 1, column 2 being 17, I can use the function to update row 1, column 2 to 18 if that column is an age or something. The select query after that is to just select that particular row that was updated and the print statement after that uses the tabulate package to print out a neat and organized table.
The error I get whenever I try to use this function is:
sqlite3.OperationalError: no such column: Info
Whatever I type in for the Info variable in the function is what the error becomes but I can't figure out how to fix the problem.
This is the update statement I had before attempting to change to f strings and it worked fine for me:
data = c.execute("UPDATE Table_name SET {} = ? WHERE IdNum=?".format(Column), (Info, IdNum))
It didn't seem like to would be that big of a change to change the above query to a f string but it isn't working so any feedback would be appreciated.
To use formatted string literals, begin a string with f or F before the opening quotation mark or triple quotation mark in a print() statement. Inside this string, you can write a Python expression between { } characters that can refer to variables or literal values.
Syntax: UPDATE table_name SET column1 = value1, column2 = value2,… WHERE condition; In the above syntax, the SET statement is used to set new values to the particular column, and the WHERE clause is used to select the rows for which the columns are needed to be updated.
As of Python 3.6, f-strings are a great new way to format strings. Not only are they more readable, more concise, and less prone to error than other ways of formatting, but they are also faster! By the end of this article, you will learn how and why to start using f-strings today.
The problem here is understanding parameterization - it works only for parameters, not for column names and other stuff.
in this example:
query = 'SELECT * FROM foo WHERE bar = ? AND baz = ?'
params = (a, b)
cursor.execute(query, params)
Note that the query and the data are passed separately to .execute
- it is the database's job to do the interpolation - that frees you from quote hell, and makes your program safer by disabling any kind of sql injection. It also could perform better - it allows the database to cache the compiled query and use it when you change parameters.
Now that only works for data. If you want to have the actual column name in a variable, you have to interpolate it yourself in the query:
col1 = 'bar'
col2 = 'baz'
query = f'SELECT * FROM foo WHERE {col1} = ? AND {col2} = ?'
cursor.execute(query, params)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With