Now I was a bit lazy and did this update of my database
cur.execute(f"UPDATE `account` SET `amount` = {amount} WHERE `account`.`id` = {id};")
That is of course a no go, as this allows for sql injection. It should be like this:
query = "UPDATE `account` SET `amount` = %s WHERE `account`.`id` = %s;"
data = ( amount, id )
update = ( query, data )
cur.execute(query, data )
Then I thought, is there a sql prefix
cur.execute(q"UPDATE `account` SET `amount` = {amount} WHERE `account`.`id` = {id};")
The q prefix would then return a list with a query and the data array (which execute
should be modified to accept)
query = "UPDATE `account` SET `amount` = %s WHERE `account`.`id` = %s;"
data = ( amount, id )
return ( query, data )
This would make it easier to apply security from the start, and of course not conflict readability with security