Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 54ea127

Browse files
erlend-aaslanderlend-aasland
authored
[3.10] gh-95271: Extract placeholders howto from sqlite3 tutorial (GH-95522) (#95678)
Co-authored-by: CAM Gerlach <[email protected]> Co-authored-by: Ezio Melotti <[email protected]> (cherry picked from commit b24e8b2) Co-authored-by: Erlend Egeberg Aasland <[email protected]>
1 parent 4a204c1 commit 54ea127

File tree

1 file changed

+38
-26
lines changed

1 file changed

+38
-26
lines changed

Doc/library/sqlite3.rst

Lines changed: 38 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,12 @@ using :meth:`~Cursor.executemany`::
9494
... ]
9595
>>> cur.executemany('INSERT INTO stocks VALUES(?, ?, ?, ?, ?)', data)
9696

97+
Notice that we used ``?`` placeholders to bind *data* to the query.
98+
Always use placeholders instead of :ref:`string formatting <tut-formatting>`
99+
to bind Python values to SQL statements,
100+
to avoid `SQL injection attacks`_.
101+
See the :ref:`placeholders how-to <sqlite3-placeholders>` for more details.
102+
97103
Then, retrieve the data by iterating over the result of a ``SELECT`` statement::
98104

99105
>>> for row in cur.execute('SELECT * FROM stocks ORDER BY price'):
@@ -104,33 +110,9 @@ Then, retrieve the data by iterating over the result of a ``SELECT`` statement::
104110
('2006-04-06', 'SELL', 'IBM', 500, 53.0)
105111
('2006-04-05', 'BUY', 'MSFT', 1000, 72.0)
106112

113+
You've now created an SQLite database using the :mod:`!sqlite3` module.
107114

108-
.. _sqlite3-placeholders:
109-
110-
SQL operations usually need to use values from Python variables. However,
111-
beware of using Python's string operations to assemble queries, as they
112-
are vulnerable to SQL injection attacks (see the `xkcd webcomic
113-
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::
114-
115-
# Never do this -- insecure!
116-
symbol = 'RHAT'
117-
cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
118-
119-
Instead, use the DB-API's parameter substitution. To insert a variable into a
120-
query string, use a placeholder in the string, and substitute the actual values
121-
into the query by providing them as a :class:`tuple` of values to the second
122-
argument of the cursor's :meth:`~Cursor.execute` method. An SQL statement may
123-
use one of two kinds of placeholders: question marks (qmark style) or named
124-
placeholders (named style). For the qmark style, ``parameters`` must be a
125-
:term:`sequence <sequence>`. For the named style, it can be either a
126-
:term:`sequence <sequence>` or :class:`dict` instance. The length of the
127-
:term:`sequence <sequence>` must match the number of placeholders, or a
128-
:exc:`ProgrammingError` is raised. If a :class:`dict` is given, it must contain
129-
keys for all named parameters. Any extra items are ignored. Here's an example of
130-
both styles:
131-
132-
.. literalinclude:: ../includes/sqlite3/execute_1.py
133-
115+
.. _SQL injection attacks: https://en.wikipedia.org/wiki/SQL_injection
134116

135117
.. seealso::
136118

@@ -1151,6 +1133,36 @@ Python types via :ref:`converters <sqlite3-converters>`.
11511133
How-to guides
11521134
-------------
11531135

1136+
.. _sqlite3-placeholders:
1137+
1138+
Using placeholders to bind values in SQL queries
1139+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1140+
1141+
SQL operations usually need to use values from Python variables. However,
1142+
beware of using Python's string operations to assemble queries, as they
1143+
are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
1144+
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::
1145+
1146+
# Never do this -- insecure!
1147+
symbol = 'RHAT'
1148+
cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
1149+
1150+
Instead, use the DB-API's parameter substitution. To insert a variable into a
1151+
query string, use a placeholder in the string, and substitute the actual values
1152+
into the query by providing them as a :class:`tuple` of values to the second
1153+
argument of the cursor's :meth:`~Cursor.execute` method. An SQL statement may
1154+
use one of two kinds of placeholders: question marks (qmark style) or named
1155+
placeholders (named style). For the qmark style, ``parameters`` must be a
1156+
:term:`sequence <sequence>`. For the named style, it can be either a
1157+
:term:`sequence <sequence>` or :class:`dict` instance. The length of the
1158+
:term:`sequence <sequence>` must match the number of placeholders, or a
1159+
:exc:`ProgrammingError` is raised. If a :class:`dict` is given, it must contain
1160+
keys for all named parameters. Any extra items are ignored. Here's an example of
1161+
both styles:
1162+
1163+
.. literalinclude:: ../includes/sqlite3/execute_1.py
1164+
1165+
11541166
.. _sqlite3-adapters:
11551167

11561168
Using adapters to store custom Python types in SQLite databases

0 commit comments

Comments
 (0)