Better Understanding of Security and injection attacks SQLite

[KevinBrown]

From Sebastian Raschka's excellent document A thorough guide to SQLite database operations in Python.

I would like to better understand the risk from injection attacks and have laid out several questions.
If you can assist by only answering one of these don't hold back from posting a reply.

For example, if our database would be part of a web application, it would allow hackers to directly communicate with the database in order to bypass login and password verification and steal data.
In order to prevent this, it is recommended to use ? place holders in the SQLite commands instead of the % formatting expression or the .format() method, which we have been using in this tutorial.
For example, instead of using

However, the problem with this approach is that it would only work for values, not for column or table names. So what are we supposed to do with the rest of the string if we want to protect ourselves from injection attacks? The easy solution would be to refrain from using variables in SQLite queries whenever possible, and if it cannot be avoided, we would want to use a function that strips all non-alphanumerical characters from the stored content of the variable, e.g.,

def clean_name(some_var):
return ''.join(char for char in some_var if char.isalnum())

Do hackers use a password / login entry widget to inject a hacking script?

Do hackers use any entry widgets in GUI screens to inject hacking scripts?

With regard to table names and column names, I'm not clear on the recommendation given above.

For example if I have a table named 'CarTypes_01' and columns 'ColManuf_01' 'ColLocn_02' how do I protect these in queries?

Do hackers get to see the design structure of the database and is this the main risk?

Can I make SQLite 100% secure against such attempted hacks?