0

I'm running the following Python3 code on a Sqlite3 database:

db.execute("UPDATE user SET ? = ? WHERE id = ?", (name, quantity, str(g.user['id'])))

where db is my cursor object. However, this produces the error

sqlite3.OperationalError: near "?": syntax error.

Is this the right syntax for cursor.execute()?

Improve this question

1 Answer 1

Reset to default
0

f-strings would do the job in python3

db.execute(f"UPDATE user SET {name} = {quantity} WHERE id = {str(g.user['id']}"
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

and don't forget to commit your changes
I know that using a ? provides security against an injection. Would f-strings provide the same level of security, or do I need to sanitize the input on my own?
The problem here is that you parametrize a column {name} that is not allowed to be filled in using parameters ?. If you need secure parameters, you would need to specify a column than. There is a question about security stackoverflow.com/a/44752966/2630643
Got it. Thanks! My code ended up being db.execute("UPDATE user SET " + name + " = ? WHERE id = ?", (quantity, str(g.user['id']))) since the column name isn't specified by the user, I just had it as a variable in order to loop.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.