August 2018
Intermediate to advanced
366 pages
10h 14m
English
Content preview from Modern Python Standard Library Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
How it works...
sqlite3.connect is used to open a database file; the returned object can then be used to perform any query against it, being an insertion or a selection.
The .execute method is then used to run any SQL against the opened database. The SQL to run is provided as a plain string.
When performing queries, it's usually a bad idea to provide values directly in SQL, especially if those values were provided by the user.
Imagine we write the following:
cursor.execute('SELECT * FROM people WHERE language != %s' % ('Italian',)):
What would have happened if instead of Italian, the user provided the string 'Italian" OR 1=1 OR "'? Instead of filtering the results, the user would have got access to the full content of the table. It's easy ...