Let’s make our app add items to the database. We’ll start with the back-end.

In inventory.py, add this simple function to run an INSERT statement against the external database:

def insert_item(name, quantity):
    INSERT INTO inventory (item_name, quantity)
      VALUES (%s, %s);
  [name, quantity])

Why don’t we just use Python format strings to insert the values?

Psycopg2’s cursor.execute method allows you to construct queries from Python objects in a way that protects against SQL injection. That prevents users from taking over our database by using SQL statements as variables.

Read more in the Psycopg2 docs.