Ok, I am creating functions to be used with a game title server. This server uses plug ins. I've these characteristics wich make use of a sqlite database, together with apsw to retrieve products saved by another function. I've 3 questions about this.

Question One: I keep obtaining the error "SQLError: near "?": syntax error" Since my statement features multiple ?, its showing hard tot rack lower what's exactly wrong.What exactly is wrong?

Question Two: I understand about SQL-Injection, however these functions just take input in the runner from the script, and also the only stuff he'd be harmful is their own. Nevertheless, can there be a good way to create this sql-injection proof?

Question Three: Can there be in whatever way to create this function more effective?

This is actually the function: EDIT:Heres what it really appears like now:

def readdb(self,entry,column,returncolumn = "id,matbefore,matafter,name,date"):
    if isinstance(entry, int) or isinstance(entry, str):
        statement = 'SELECT {0} FROM main WHERE {1} IN {2}'.format(returncolumn,column,entry)
        blockinfo = self.memcursor.fetchall()
    if isinstance(entry, tuple) or isinstance(entry, list):
        statement = '''SELECT {0} FROM main WHERE {1} IN (%s)'''.format(returncolumn,column)
        self.memcursor.execute(statement % ("?," * len(entry))[:-1], entry)
        blockinfo = self.memcursor.fetchall()

This really is funny (read onto discover why).

The very first statement you've really uses the worthiness binding mechanism from the sqlite3-module (I suppose that's that which you use). Hence, the * (the default column) will get steered clear of, making the statement invalid. This really is SQL-injection proof, as well as your own code attempts to inject SQL (begin to see the funny now?).

The 2nd time you utilize Pythons string alternative to be able to build the query string, which isn't SQL-injection proof.