python3 sqlite3 cheat

py3-sqlite.py

# python3 sqlite3 cheat
# [0] https://docs.python.org/3/library/sqlite3.html

import sqlite3

# create a Connection
con = sqlite3.connect('users.db')

# create a Cursor
c = con.cursor()

# create a table
c.execute('''CREATE TABLE users
             (username text, password text)''')

# create rows
c.execute("INSERT INTO users VALUES ('root', 's3cr3t')")
c.execute("INSERT INTO users VALUES ('guest', 'secret')")

# do not use unsanitized values
user_password = ('user',
                 "secret_'); UPDATE users SET password = 'foobar' WHERE username = 'root'; --",)
c.executescript("INSERT INTO users VALUES ('%s', '%s')" % user_password)

# pass variable with ? to sanitize
c.execute("DELETE FROM users WHERE username = 'user'") # clean up
try:
    c.executescript('INSERT INTO users VALUES (?, ?)' % user_password)
except TypeError as e:
    print('TypeError: ', e)

# execute list
users_passwords = [('user', 'secret_'),
                   ('www', None), # password = Null
                  ]
c.executemany('INSERT INTO users VALUES (?, ?)', users_passwords)

# print rows
for row in c.execute('SELECT * from users'):
    print(row)

# save state
con.commit()

# close connection
con.close()