Skip to content

C
cpython
Kaydet (Commit) 33c66301 authored tarafından Raymond Hettinger's avatar Raymond Hettinger
Dosyalara gözat
Seçenekler

Clean-up the SQLite introduction.

üst 0e15a6e2
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 26 deletions
Doc/library/sqlite3.rst
Dosyayı görüntüle @ 33c66301
...@@ -23,7 +23,7 @@ represents the database. Here the data will be stored in the ...@@ -23,7 +23,7 @@ represents the database. Here the data will be stored in the
:file:`/tmp/example` file:: :file:`/tmp/example` file::
import sqlite3 import sqlite3
conn = sqlite3.connect('/tmp/example') conn = sqlite3.connect('example.db')
You can also supply the special name ``:memory:`` to create a database in RAM. You can also supply the special name ``:memory:`` to create a database in RAM.
...@@ -33,13 +33,11 @@ and call its :meth:`~Cursor.execute` method to perform SQL commands:: ...@@ -33,13 +33,11 @@ and call its :meth:`~Cursor.execute` method to perform SQL commands::
c = conn.cursor() c = conn.cursor()
# Create table # Create table
c.execute('''create table stocks c.execute('''CREATE TABLE stocks
(date text, trans text, symbol text, (date text, trans text, symbol text, qty real, price real)''')
qty real, price real)''')
# Insert a row of data # Insert a row of data
c.execute("""insert into stocks c.execute("INSERT INTO stocks VALUES ('2006-01-05','BUY','RHAT',100,35.14)")
values ('2006-01-05','BUY','RHAT',100,35.14)""")
# Save (commit) the changes # Save (commit) the changes
conn.commit() conn.commit()
...@@ -47,16 +45,17 @@ and call its :meth:`~Cursor.execute` method to perform SQL commands:: ...@@ -47,16 +45,17 @@ and call its :meth:`~Cursor.execute` method to perform SQL commands::
# We can also close the cursor if we are done with it # We can also close the cursor if we are done with it
c.close() c.close()
Usually your SQL operations will need to use values from Python variables. You
shouldn't assemble your query using Python's string operations because doing so
is insecure; it makes your program vulnerable to an SQL injection attack.
The data you've saved is persistent and is available in subsequent sessions:: The data you've saved is persistent and is available in subsequent sessions::
import sqlite3 import sqlite3
conn = sqlite3.connect('/tmp/example') conn = sqlite3.connect('example.db')
c = conn.cursor() c = conn.cursor()
Usually your SQL operations will need to use values from Python variables. You
shouldn't assemble your query using Python's string operations because doing so
is insecure; it makes your program vulnerable to an SQL injection attack
(see http://xkcd.com/327/ for humorous example of what can go wrong).
Instead, use the DB-API's parameter substitution. Put ``?`` as a placeholder Instead, use the DB-API's parameter substitution. Put ``?`` as a placeholder
wherever you want to use a value, and then provide a tuple of values as the wherever you want to use a value, and then provide a tuple of values as the
second argument to the cursor's :meth:`~Cursor.execute` method. (Other database second argument to the cursor's :meth:`~Cursor.execute` method. (Other database
...@@ -64,19 +63,20 @@ modules may use a different placeholder, such as ``%s`` or ``:1``.) For ...@@ -64,19 +63,20 @@ modules may use a different placeholder, such as ``%s`` or ``:1``.) For
example:: example::
# Never do this -- insecure! # Never do this -- insecure!
symbol = 'IBM' symbol = 'RHAT'
c.execute("select * from stocks where symbol = '%s'" % symbol) c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead # Do this instead
t = (symbol,) t = (symbol,)
c.execute('select * from stocks where symbol=?', t) c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example # Larger example that inserts many records at a time
for t in [('2006-03-28', 'BUY', 'IBM', 1000, 45.00), purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSFT', 1000, 72.00), ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00), ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]: ]
c.execute('insert into stocks values (?,?,?,?,?)', t) c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)
To retrieve data after executing a SELECT statement, you can either treat the To retrieve data after executing a SELECT statement, you can either treat the
cursor as an :term:`iterator`, call the cursor's :meth:`~Cursor.fetchone` method to cursor as an :term:`iterator`, call the cursor's :meth:`~Cursor.fetchone` method to
...@@ -85,16 +85,13 @@ matching rows. ...@@ -85,16 +85,13 @@ matching rows.
This example uses the iterator form:: This example uses the iterator form::
>>> c = conn.cursor() >>> for row in c.execute('SELECT * FROM stocks ORDER BY price'):
>>> c.execute('select * from stocks order by price') print row
>>> for row in c:
... print row
...
(u'2006-01-05', u'BUY', u'RHAT', 100, 35.14) (u'2006-01-05', u'BUY', u'RHAT', 100, 35.14)
(u'2006-03-28', u'BUY', u'IBM', 1000, 45.0) (u'2006-03-28', u'BUY', u'IBM', 1000, 45.0)
(u'2006-04-06', u'SELL', u'IBM', 500, 53.0) (u'2006-04-06', u'SELL', u'IBM', 500, 53.0)
(u'2006-04-05', u'BUY', u'MSFT', 1000, 72.0) (u'2006-04-05', u'BUY', u'MSFT', 1000, 72.0)
>>>
.. seealso:: .. seealso::
...@@ -107,6 +104,9 @@ This example uses the iterator form:: ...@@ -107,6 +104,9 @@ This example uses the iterator form::
The SQLite web page; the documentation describes the syntax and the The SQLite web page; the documentation describes the syntax and the
available data types for the supported SQL dialect. available data types for the supported SQL dialect.
http://www.w3schools.com/sql/
Tutorial, reference and examples for learning SQL syntax.
:pep:`249` - Database API Specification 2.0 :pep:`249` - Database API Specification 2.0
PEP written by Marc-André Lemburg. PEP written by Marc-André Lemburg.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment