Module 06 / Project 01 — SQLite Basics¶
Home: README · Module: Databases & ORM
Learn Your Way¶
| Read | Build | Watch | Test | Review | Visualize | Try |
|---|---|---|---|---|---|---|
| — | This project | Walkthrough | — | Flashcards | — | — |
Focus¶
- Python's built-in
sqlite3module (no install needed) - Creating tables with
CREATE TABLE - Inserting rows with
INSERT INTO - Querying data with
SELECTandWHERE - Parameterized queries to prevent SQL injection
Why this project exists¶
Before you learn an ORM like SQLAlchemy, you should understand what it does under the hood. SQLite ships with Python and requires no server setup. This project teaches you raw SQL through Python so that when you see ORM code later, you understand what it translates to.
Run¶
This creates a data/books.db file. Delete it and re-run to start fresh.
Expected output¶
--- Creating database and table ---
Table 'books' created.
--- Inserting sample books ---
Inserted 6 books.
--- All books ---
1 | The Pragmatic Programmer | David Thomas | 1999
2 | Clean Code | Robert C. Martin | 2008
3 | Fluent Python | Luciano Ramalho | 2015
4 | Python Crash Course | Eric Matthes | 2015
5 | Design Patterns | Gang of Four | 1994
6 | Refactoring | Martin Fowler | 1999
--- Books by year 2015 ---
3 | Fluent Python | Luciano Ramalho | 2015
4 | Python Crash Course | Eric Matthes | 2015
--- Books with 'Python' in the title ---
3 | Fluent Python | Luciano Ramalho | 2015
4 | Python Crash Course | Eric Matthes | 2015
--- Parameterized query demo ---
Searching for author: Robert C. Martin
2 | Clean Code | Robert C. Martin | 2008
--- Dangerous input safely handled ---
Searching for: '; DROP TABLE books; --
No books found (and the table still exists!).
Alter it¶
- Add a
genrecolumn to the books table. Insert books with genres and query by genre. - Add an
UPDATEstatement that changes a book's year. Verify it worked with aSELECT. - Add a
DELETEstatement that removes a book by ID. Print the table before and after.
Break it¶
- Use string formatting (
f"... WHERE author = '{author}'") instead of parameterized queries. Pass in'; DROP TABLE books; --and see what happens. - Try to insert a row with the wrong number of values. Read the error message.
- Remove the
conn.commit()call after inserts. Query the data — is it there? Restart and check again.
Fix it¶
- Replace the string-formatted query with a parameterized one (
?placeholders). - Add
try/exceptaround database operations to handlesqlite3.Errorgracefully. - Use a context manager (
with conn:) to ensure commits happen automatically.
Explain it¶
- What is SQL injection and why are parameterized queries the fix?
- What does
conn.commit()do? What happens to your data without it? - What is the difference between
conn.execute()andcursor.execute()? - Why does SQLite not need a separate server process?
Mastery check¶
You can move on when you can:
- create a table and insert rows using sqlite3,
- write SELECT queries with WHERE clauses,
- explain why parameterized queries matter,
- use conn.commit() and understand transactions.
Related Concepts¶
- Classes and Objects
- Collections Explained
- Files and Paths
- Functions Explained
- Quiz: Classes and Objects