can you explain a bit more one what the place holder %s do?

Sure. It stands for a place to fill in data, such as the NM of the person you want to look up, or the TT of the movie, or the Title of the movie or...

It's like a variable, or a place where a variable's value goes.

I still don't understand how prepared queries protect again SQL injection. What happens if someone passes in '123 or 1 = 1' as nm into our function anyway?

The is the crucial question! Suppose the query is:


DELETE FROM movie WHERE tt = %s

Is that:


DELETE FROM movie WHERE tt = '123 or 1=1'

which matches nothing

Or is it


DELETE FROM movie WHERE tt = '123' or 1=1;

which matches everything

The bad case is when the or 1=1 is parsed as part of the SQL code, as opposed to a value.

Can we review prepared queries again and how multiple %s values work?

As many times as you'd like!

Can we go over the right and wrong way to do a parameterized query again and what the difference is?

The wrong way is to use string interpolation:


val = input('what tt?')
sql = f'DELETE FROM movie WHERE tt = {val}'
curs.execute(sql)

The right way is to use a prepared query


val = input('what tt?')
sql = f'DELETE FROM movie WHERE tt = %s'
curs.execute(sql, val)