Inserting values in sqlite 3 but appearing as column names

Question

Im using inputs from SQLite3 in python 3.5 to add user information to a data base. However once i obtain the data and insert into the database, rather than inserting the data into the columns it tells me there is no column. The error I get is as follows:

Exception in Tkinter callback Traceback (most recent call last):

File "C:\Users\Luke_2\AppData\Local\Programs\Python\Python35-32\lib\tkinter__init__.py", line 1549, in call return self.func(*args) File "C:\Users\Luke_2\Desktop\Computing\Coursework\live\current.py", line 303, in details cur_user.execute("INSERT INTO LogIn(Email,Password) VALUES("+user+","+passw+")") sqlite3.OperationalError: no such column: a

And the function in my code doing this is as follows:

def details():
    user = email_sign.get()
    user1 = email1_sign.get()
    passw = password_sign.get()
    password1 = password1_sign.get()
    if user == user1 and passw == password1:
        cur_user.execute("INSERT INTO LogIn(Email,Password) VALUES("+user+","+passw+")")
        conn_user.commit()

    else:
        print("please try again")

Answer 1

It is because the request that you actually execute has no quotes around the values, so the names are interpreted as column names but the SQL engine. If you pass a and b respectively you will execute

INSERT INTO LogIn(Email,Password) VALUES(a,b)

when what is required is

INSERT INTO LogIn(Email,Password) VALUES('a','b')

But you should never to that! Building requests that way but hardcoding parameters in the request has been the cause of SQL injection problems for decades.

The correct way is to build a parameterized request:

cur_user.execute("INSERT INTO LogIn(Email,Password) VALUES(?,?)", (user, password))

simpler, smarter and immune to SQL injection...