When Using SQLite3 in Python, Why \'Incorrect Number of Bindings Supplied\' When Utilizing \'?\' Parameter Substitution?

SQLite Parameter Substitution Conundrum

In an attempt to safeguard against SQL injections, a developer encountered an error while utilizing SQLite3 with Python 2.5. When employing the recommended "?" parameter substitution to prevent injections, they faced the following dilemma:

sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 1, and there are 8 supplied.

This issue seemed to stem from the database's initial creation, which contained eight bindings. However, using the less secure "%s" substitution for each item name resolved the problem.

for item in self.inventory_names:
    self.cursor.execute("SELECT weight FROM Equipment WHERE name = '%s'" % item)
    self.cursor.close()

The solution to this perplexity lies in understanding that the Cursor.execute() method requires a sequence as its second parameter. In this instance, the developer was providing a string that happened to be eight characters long. To rectify this, the following code modification should be implemented:

self.cursor.execute("SELECT weight FROM Equipment WHERE name = ?", [item])

By conforming to this parameter specification, the issue can be effectively addressed, allowing for secure and efficient data retrieval from SQLite3.

The above is the detailed content of When Using SQLite3 in Python, Why \'Incorrect Number of Bindings Supplied\' When Utilizing \'?\' Parameter Substitution?. For more information, please follow other related articles on the PHP Chinese website!