python - Querying SQLite Database for specific cell
问题描述
Forgive me if this is a basic question, I'm learning on my own and having some trouble. I have built a database with SQLite and am trying to write something that can display the 'description' of an entry when the name is entered into an entry box.
record_id = call_field.get()
# Query the database
c.execute("SELECT name, abbr, description FROM TQ_QUICKTEXT WHERE name =" + record_id)
records = c.fetchall()
# Loop through results
for record in records:
display.insert(1.0, record[2])
When I type the name of the entry that has been put into the database, an error is returned saying there is no column with that name. However, when I type the actual word 'name' into the entry box and run the function every single description entry is returned. If someone wouldn't mind pointing out where I've made mistakes it would be greatly appreciated. Thank you in advance.
解决方案
当前执行的SELECT
语句如下所示:(的值
SELECT name, abbr, description FROM TQ_QUICKTEXT WHERE name = something
在哪里)
因为 的值没有引号,所以它认为它是列名,而不是文本。这就是为什么当您尝试记录的名称时,您会收到错误,因为这不是列名,但有效,因为它是列的名称。
添加引号可以解决问题,但数据库容易受到 SQL 注入的影响。对 SQL 查询进行参数化以防止这种情况是一种很好的安全做法。这是通过使用代替参数然后将参数元组传递给执行函数来完成的。这可以保护您免受 SQL 注入。
在这些更改之后,语句应如下所示:something
record_id
record_id
name
?
c.execute
c.execute("SELECT name, abbr, description FROM TQ_QUICKTEXT WHERE name = ?", (record_id,))
推荐阅读
- javascript - 间接访问返回空的迭代器
- python - 烧瓶应用程序中未显示分段图像
- java - 无效与单声道
在 Spring webflux 中 - javascript - 循环遍历对象数组并将它们显示在反应组件中
- android - Android Dagger-Hilt 忽略 @Provides 方法
- c - 使用 janet_wrap_array 的正确方法
- javascript - 反应中的 setState 似乎它删除了所有状态内容
- javascript - 添加媒体查询以根据屏幕大小调整日历小部件 css
- c# - 如何使用 VS 代码在控制台应用程序上正确运行 C# 代码?
- sql - Sparklyr:sql 临时错误:参数不可解释为逻辑