Hey there, sorry you've been stuck on this for two days—let's get this sorted out quickly!

What's Causing the Error? #

The problem boils down to two key issues with how you're building your SQL query:

1. Incomplete SQL Statement: If delete_box.get() returns an empty string (like when the user clicks the edit button without typing an ID), your query becomes SELECT * FROM addresses WHERE oid = —this is obviously incomplete, hence the incomplete input error.
2. Unsafe String Concatenation: Directly splicing user input into SQL statements is a major security risk (it opens you up to SQL injection attacks) and prone to syntax errors even when input is valid.

The Fix: Parameterized Queries + Input Validation #

Here's how to rewrite your edit() function to fix both issues:

from tkinter import messagebox  # Make sure to import this at the top of your file

def edit():
    global editor
    editor = Toplevel()
    editor.title("Edit A Record")
    editor.iconbitmap(r"C:\Users\StePHAnie\Desktop\Python course (learning python)\Tkinter full course in python\icon.ico")
    editor.geometry("360x550")

    # Step 1: Validate user input first
    record_id = delete_box.get().strip()
    if not record_id:
        messagebox.showerror("Input Error", "Please enter a valid record ID!")
        editor.destroy()
        return
    
    # Ensure the ID is an integer (since oid is typically an integer in SQLite)
    try:
        record_id = int(record_id)
    except ValueError:
        messagebox.showerror("Input Error", "Record ID must be a whole number!")
        editor.destroy()
        return

    # Step 2: Use parameterized queries instead of string concatenation
    conn = sqlite3.connect("address_book.db")
    c = conn.cursor()

    # The ? is a placeholder—sqlite3 handles escaping and formatting safely
    c.execute("SELECT * FROM addresses WHERE oid = ?", (record_id,))
    records = c.fetchall()

    # Add your code here to populate the editor window with the fetched records
    # ...

    # Don't forget to close the connection when you're done
    conn.close()

Why This Works: #

• Input Validation: We check that the user actually entered something, and that it's a valid integer (matching SQLite's default oid type). This prevents empty or invalid input from breaking your query.
• Parameterized Queries: Using ? as a placeholder tells sqlite3 to properly format the input for SQL. No more incomplete queries, and no risk of SQL injection—this is the industry-standard way to run dynamic SQL queries.

If your oid column isn't an integer (uncommon, but possible), you can skip the int() conversion step—just keep using the parameterized query format, and sqlite3 will handle the type correctly.

内容的提问来源于stack exchange，提问作者Huzaifa suhail