Parameter markers can be used only for expressions, i.e., values.
You cannot use them for identifiers like table and column names.
Use this:
cur.execute("SELECT "+column+" FROM Data where "+goal+"=?", (constrain,))
or this:
cur.execute("SELECT %s FROM Data where %s=?" % (column, goal), (constrain,))
(And don’t commit before you have actually finished accessing the data.)