0

I'm running the following Python3 code on a Sqlite3 database:

db.execute("UPDATE user SET ? = ? WHERE id = ?", (name, quantity, str(g.user['id'])))

where db is my cursor object. However, this produces the error

sqlite3.OperationalError: near "?": syntax error.

Is this the right syntax for cursor.execute()?

Jared Goodman
  • 73
  • 1
  • 4

1 Answers1

0

f-strings would do the job in python3

db.execute(f"UPDATE user SET {name} = {quantity} WHERE id = {str(g.user['id']}"
AlexMTX
  • 72
  • 4
  • and don't forget to commit your changes – AlexMTX Apr 14 '20 at 19:44
  • I know that using a `?` provides security against an injection. Would f-strings provide the same level of security, or do I need to sanitize the input on my own? – Jared Goodman Apr 14 '20 at 19:45
  • 1
    The problem here is that you parametrize a column `{name}` that is not allowed to be filled in using parameters `?`. If you need secure parameters, you would need to specify a column than. There is a question about security https://stackoverflow.com/a/44752966/2630643 – AlexMTX Apr 14 '20 at 19:53
  • Got it. Thanks! My code ended up being `db.execute("UPDATE user SET " + name + " = ? WHERE id = ?", (quantity, str(g.user['id'])))` since the column name isn't specified by the user, I just had it as a variable in order to loop. – Jared Goodman Apr 14 '20 at 20:01