Use prepared statements for SQL Delete commands (#17)

database.py

@@ -31,14 +31,14 @@ def verify(id, pw):
 def delete_user_from_db(id):
     _conn = sqlite3.connect(user_db_file_location)
     _c = _conn.cursor()
-    _c.execute("DELETE FROM users WHERE id = '" + id + "';")
+    _c.execute("DELETE FROM users WHERE id = ?;", (id))
     _conn.commit()
     _conn.close()
 
     # when we delete a user FROM database USERS, we also need to delete all his or her notes data FROM database NOTES
     _conn = sqlite3.connect(note_db_file_location)
     _c = _conn.cursor()
-    _c.execute("DELETE FROM notes WHERE user = '" + id + "';")
+    _c.execute("DELETE FROM notes WHERE user = ?;", (id))
     _conn.commit()
     _conn.close()
 
@@ -47,7 +47,7 @@ def delete_user_from_db(id):
     # [2] delete all his or her images records FROM database IMAGES
     _conn = sqlite3.connect(image_db_file_location)
     _c = _conn.cursor()
-    _c.execute("DELETE FROM images WHERE owner = '" + id + "';")
+    _c.execute("DELETE FROM images WHERE owner = ?;", (id))
     _conn.commit()
     _conn.close()
 
@@ -101,8 +101,7 @@ def delete_note_from_db(note_id):
     _conn = sqlite3.connect(note_db_file_location)
     _c = _conn.cursor()
 
-    command = "DELETE FROM notes WHERE note_id = '" + note_id + "';" 
+    _c.execute("DELETE FROM notes WHERE note_id = ?;", (note_id))
-    _c.execute(command)
 
     _conn.commit()
     _conn.close()
@@ -147,8 +146,7 @@ def delete_image_from_db(image_uid):
     _conn = sqlite3.connect(image_db_file_location)
     _c = _conn.cursor()
 
-    command = "DELETE FROM images WHERE uid = '" + image_uid + "';" 
+    _c.execute("DELETE FROM images WHERE uid = ?;", (image_uid))
-    _c.execute(command)
 
     _conn.commit()
     _conn.close()