patternpythonModerate
Fetch live data from SQLite
Viewed 0 times
fetchsqlitelivefromdata
Problem
I'm writing a small Python script which needs to fetch live data from a database (I'm using SQLite 3 for now). I may reuse this function for a lot of scripts. Can this code be made better?
def fetch_database(database, table, filter_dict, case=None):
"""
Takes filter parameter as a dict
dict = {'column_name':['filter', 'filter2'], 'column_name2'=[], ..}
case = wrap around the dictionary key(UPPER, LOWER, etc..), None
database (with pathname ex: database.db
table
column = dict.keys()
"""
conn = sqlite3.connect(database)
c = conn.cursor()
filter_dict = dict_format(filter_dict) # A separate function deletes empty keys from dictionary
keys_list = filter_dict.keys()
statement = 'SELECT * FROM ' + table
if len(keys_list) > 0:
statement += ' WHERE '
for keys in keys_list:
if case == None:
key = keys
else:
key = case + '(' + keys + ')'
temp_data = filter_dict[keys]
temp_size = len(temp_data)
if keys_list.index(keys) != 0:
statement += ' AND '
if temp_size > 0:
for data in temp_data:
if temp_data.index(data) == 0:
statement += key + '="' + data + '"'
else:
statement += ' OR ' + key + '="' + data + '"'
dataset = c.execute(statement)
dataset = dataset.fetchall()
return datasetSolution
I'm surprised nobody mentioned the code being vulnerable to SQL injection attacks:
(XKCD source)
Using string formatting and string concatenation to construct SQL queries is, first of all, unsafe and also, fragile - you will have to handle the argument types, balancing and escaping quotes yourself manually.
Instead, you should parameterize your queries - this way, you are not only protected from SQL injections, but also let the database driver worry about the python-to-database type conversions, sample:
Note how parameters are passed in a separate argument to
On the other hand, it feels like you may be reinventing the wheel in a certain way - please check if switching to an ORM like
(XKCD source)
Using string formatting and string concatenation to construct SQL queries is, first of all, unsafe and also, fragile - you will have to handle the argument types, balancing and escaping quotes yourself manually.
Instead, you should parameterize your queries - this way, you are not only protected from SQL injections, but also let the database driver worry about the python-to-database type conversions, sample:
query = """
SELECT column1
FROM table
WHERE column2 = ?"""
cursor.execute(query, (data, ))Note how parameters are passed in a separate argument to
execute().On the other hand, it feels like you may be reinventing the wheel in a certain way - please check if switching to an ORM like
SQLAlchemy or peewee would help to avoid re-writing boilerplate code.Code Snippets
query = """
SELECT column1
FROM table
WHERE column2 = ?"""
cursor.execute(query, (data, ))Context
StackExchange Code Review Q#161919, answer score: 11
Revisions (0)
No revisions yet.