Skip to content

gh-95271: Extract placeholders howto from sqlite3 tutorial #95522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
erlend-aasland merged 8 commits into from
Aug 4, 2022
Merged

gh-95271: Extract placeholders howto from sqlite3 tutorial #95522

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
733426b
gh-95271: Extract placeholders howto from sqlite3 tutorial
erlend-aasland Aug 1, 2022
c4ac173
Syntax
erlend-aasland Aug 1, 2022
8e10ac4
Update Doc/library/sqlite3.rst
Aug 3, 2022
9c87641
Merge branch 'main' into sqlite-tutorial/extract-placeholders
erlend-aasland Aug 3, 2022
bf717fe
Address review: mention injection attacks
erlend-aasland Aug 3, 2022
a0cdf61
Improvements:
erlend-aasland Aug 3, 2022
1d840ca
Use literal question mark
Aug 3, 2022
86d86c0
Consistency FTW
Aug 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Improvements: 
- plural agreement, as CAM says
- more brevity
- add wikipedia link to SQL injection attacks
  • Loading branch information
@erlend-aasland
erlend-aasland committed Aug 3, 2022
commit a0cdf612e81f6b55f4ba2a35a51d436b8bad7480
7 changes: 4 additions & 3 deletions Doc/library/sqlite3.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,10 @@ using :meth:`~Cursor.executemany`::
... ]
>>> cur.executemany('INSERT INTO stocks VALUES(?, ?, ?, ?, ?)', data)

Notice that we used question mark placeholder to bind *data* to the query.
Notice that we used question mark placeholders to bind *data* to the query.
Comment thread
erlend-aasland marked this conversation as resolved.
Outdated
Always use placeholders instead of :ref:`string formatting<tut-formatting>`
Comment thread
erlend-aasland marked this conversation as resolved.
Outdated
to bind Python values to SQL statements,
in order to avoid SQL injection attacks.
to avoid `SQL injection attacks`_.
See the :ref:`placeholders how-to <sqlite3-placeholders>` for more details.

Then, retrieve the data by iterating over the result of a ``SELECT`` statement::
Expand All @@ -112,6 +112,7 @@ Then, retrieve the data by iterating over the result of a ``SELECT`` statement::

You've now created an SQLite database using the :mod:`!sqlite3` module.

.. _SQL injection attacks: https://en.wikipedia.org/wiki/SQL_injection

.. seealso::

Expand Down Expand Up @@ -1457,7 +1458,7 @@ Using placeholders to bind values in SQL queries

SQL operations usually need to use values from Python variables. However,
Comment thread
erlend-aasland marked this conversation as resolved.
beware of using Python's string operations to assemble queries, as they
are vulnerable to SQL injection attacks (see the `xkcd webcomic
are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::

# Never do this -- insecure!
Expand Down