I am trying to use placeholders, but they do not work. Here is a bad example of what i need, it works perfectly, but it is not protected against SQL-injections:

`def updateUser(self, user_id: int, **kwargs) -> bool:for arg, value in kwargs.items():try:sql = f"UPDATE user SET {arg}='{value}' WHERE user_id = {user_id};"self.con.execute(sql)except Exception as e:print(e)self.con.rollback()return Falseself.con.commit()return True
`

It works with any data type perfectly. Now the code that i want to use, but it don't work:

`def updateUser(self, user_id: int, **kwargs) -> bool:for arg, value in kwargs.items():try:self.con.execute("UPDATE user SET ?='?' WHERE user_id = ?;", (arg, value, user_id))except Exception as e:print(e)self.con.rollback()return Falseself.con.commit()return True

` This code returns error:

`>>> ud.updateUser(1, nick="test")
Traceback (most recent call last):File "<stdin>", line 1, in <module>File "<path>/inter.py", line 56, in updateUserself.con.execute("UPDATE user SET ?='?' WHERE user_id = ?;", (arg, value, user_id))
sqlite3.OperationalError: near "?": syntax error

`

I've tried every possible way to write this query (brackets, quotes), but it only works with f-string. What am i doing worng?

The issue is with the syntax of the query. The ? placeholder can only be used for values, not for column names or table names.

You need to specify the column name and value in the query string, not as placeholders. Here's an example:

def updateUser(self, user_id: int, **kwargs) -> bool:for arg, value in kwargs.items():try:sql = "UPDATE user SET {}=? WHERE user_id=?".format(arg)self.con.execute(sql, (value, user_id))except Exception as e:print(e)self.con.rollback()return Falseself.con.commit()return True

This code should work as expected and will also protect against SQL injection attacks.