# dbApps09 DIY Task: Secure a Database Application

**Course:** Database Applications Development (145085)  
**Institution:** Medina County Career Center  
**Topic:** SQL Injection Prevention & Database Transactions  

---

## Overview

In this independent assessment, you will design and build a **secure database application** from scratch. Your goal is to demonstrate mastery of:

- **Safe SQL**: Parameterized queries to prevent SQL injection
- **Transactions**: ACID properties and transaction control (BEGIN, COMMIT, ROLLBACK)
- **Data Integrity**: Constraints, primary keys, foreign keys
- **Security Mindset**: Protecting against common database vulnerabilities

You will build a mini-application for an **online store** with two tables: `users` and `orders`.

## Setup

Import required libraries and create a new database connection.

In [None]:
import sqlite3
import pandas as pd

# Create a connection to the secure_app.db database
# If the database doesn't exist, sqlite3 will create it automatically
conn = sqlite3.connect("secure_app.db")
cursor = conn.cursor()

print("Database connection established.")

---

## TASK 1: Database Design

**Objective:** Create a 2-table database schema for an online store.

**Requirements:**
- Define a `users` table with columns: id (PK), username (UNIQUE, NOT NULL), email (UNIQUE, NOT NULL), created_at
- Define an `orders` table with columns: id (PK), user_id (FK), product_name (NOT NULL), quantity (NOT NULL, >0), price (NOT NULL, >0), order_date
- Use appropriate data types and constraints
- Drop existing tables if they exist (for testing purposes)

**Write your SQL CREATE TABLE statements below:**

In [None]:
# Drop existing tables to start fresh (useful for testing)
# In production, you would use migration tools instead of DROP
try:
    cursor.execute("DROP TABLE IF EXISTS orders")
    cursor.execute("DROP TABLE IF EXISTS users")
    conn.commit()
except Exception as e:
    print(f"Error dropping tables: {e}")

# TASK 1: Write your CREATE TABLE statements here
# Create the users table
create_users_table = """
CREATE TABLE users (
    -- YOUR CODE HERE
)
"""

# Create the orders table
create_orders_table = """
CREATE TABLE orders (
    -- YOUR CODE HERE
)
"""

# Execute the CREATE TABLE statements
# cursor.execute(create_users_table)
# cursor.execute(create_orders_table)
# conn.commit()
# print("Tables created successfully.")

---

## TASK 2: Populate the Database

**Objective:** Insert at least 5 records into each table using **PARAMETERIZED queries** (NOT string concatenation).

**Why Parameterized Queries?**
- They separate SQL code from user data
- They prevent SQL injection attacks
- In sqlite3, use the `?` placeholder and pass values as a tuple

**Example of SAFE insertion:**
```python
cursor.execute("INSERT INTO users (username, email) VALUES (?, ?)", (username, email))
```

**AVOID (DANGEROUS):**
```python
cursor.execute(f"INSERT INTO users VALUES ('{username}', '{email}')")
```

**Write your parameterized INSERT statements below:**

In [None]:
# TASK 2: Insert at least 5 users using parameterized queries
# Example data for an online store scenario

# List of user data: (username, email)
users_data = [
    # YOUR CODE HERE
]

# Insert users using parameterized queries
# for username, email in users_data:
#     cursor.execute("INSERT INTO users (username, email, created_at) VALUES (?, ?, datetime('now'))", 
#                    (username, email))

# TASK 2 (continued): Insert at least 5 orders
# List of order data: (user_id, product_name, quantity, price)
orders_data = [
    # YOUR CODE HERE
]

# Insert orders using parameterized queries
# for user_id, product_name, quantity, price in orders_data:
#     cursor.execute(
#         "INSERT INTO orders (user_id, product_name, quantity, price, order_date) VALUES (?, ?, ?, ?, datetime('now'))",
#         (user_id, product_name, quantity, price)
#     )

# conn.commit()
# print("Data inserted successfully.")

---

## TASK 3: Safe Search Query

**Objective:** Write a parameterized SELECT query that searches for a user by username.

**Requirements:**
- Accept a user-provided username as input
- Use parameterized query (?) to prevent SQL injection
- Return user details (id, username, email, created_at)

**Example parameterized SELECT:**
```python
cursor.execute("SELECT * FROM users WHERE username = ?", (search_username,))
```

**Write your safe search function below:**

In [None]:
# TASK 3: Write a safe search function

def search_user_by_username(username):
    """
    Search for a user by username using a PARAMETERIZED query.
    
    Args:
        username (str): The username to search for
    
    Returns:
        pandas DataFrame with user information, or empty DataFrame if not found
    """
    # YOUR CODE HERE
    # cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
    # result = cursor.fetchall()
    # return result
    pass

# Test the search function with a sample username
# result = search_user_by_username("alice")
# print(f"Search results: {result}")

---

## TASK 4: Safe Insert Query

**Objective:** Write a parameterized INSERT query to add a new user.

**Requirements:**
- Accept user-provided data (username, email)
- Use parameterized query to prevent SQL injection
- Include error handling for duplicate usernames/emails
- Commit the transaction

**Write your safe insert function below:**

In [None]:
# TASK 4: Write a safe insert function

def add_new_user(username, email):
    """
    Add a new user to the database using a PARAMETERIZED query.
    
    Args:
        username (str): The new username
        email (str): The new email address
    
    Returns:
        Boolean: True if successful, False otherwise
    """
    # YOUR CODE HERE
    # Remember to use parameterized queries with ?
    # Remember to commit() after insert
    pass

# Test the insert function
# success = add_new_user("testuser", "testuser@example.com")
# print(f"Insert successful: {success}")

---

## TASK 5: Safe Update Query

**Objective:** Write a parameterized UPDATE query to modify a user's email.

**Requirements:**
- Accept user id and new email as parameters
- Use parameterized query to prevent SQL injection
- Commit the transaction
- Test by updating a user's email and verifying the change

**Write your safe update function below:**

In [None]:
# TASK 5: Write a safe update function

def update_user_email(user_id, new_email):
    """
    Update a user's email using a PARAMETERIZED query.
    
    Args:
        user_id (int): The ID of the user to update
        new_email (str): The new email address
    
    Returns:
        Boolean: True if successful, False otherwise
    """
    # YOUR CODE HERE
    # Remember to use parameterized queries with ?
    # Remember to commit() after update
    pass

# Test the update function
# Before update: fetch the user
# update_user_email(1, "newemail@example.com")
# After update: fetch the user again to verify
# cursor.execute("SELECT * FROM users WHERE id = ?", (1,))
# print("Updated user:", cursor.fetchone())

---

## TASK 6: Transaction with Multiple Operations

**Objective:** Write a transaction that performs multiple related database operations.

**Scenario:** When a user places an order, you must:
1. Insert a new order record into the `orders` table
2. Update user's purchase count (add a column to users table if needed)

**Transaction Syntax:**
```python
cursor.execute("BEGIN")
# Perform multiple operations
cursor.execute("INSERT ...")
cursor.execute("UPDATE ...")
conn.commit()  # Commit all changes together
```

**Why use transactions?**
- Ensures atomicity: all operations succeed or all fail together
- Prevents partial updates that leave data inconsistent

**Write your transaction function below:**

In [None]:
# TASK 6: Write a transaction that places an order

def place_order(user_id, product_name, quantity, price):
    """
    Place an order for a user (TRANSACTION example).
    
    This function demonstrates a transaction by:
    1. Inserting a new order record
    2. Potentially updating user information (e.g., order count)
    
    Args:
        user_id (int): The ID of the user placing the order
        product_name (str): Name of the product
        quantity (int): Quantity ordered
        price (float): Price per unit
    
    Returns:
        Boolean: True if transaction successful, False otherwise
    """
    # YOUR CODE HERE
    # Start with cursor.execute("BEGIN")
    # Perform multiple INSERT/UPDATE operations
    # End with conn.commit()
    pass

# Test the transaction
# success = place_order(1, "Laptop", 1, 999.99)
# print(f"Order placed: {success}")

---

## TASK 7: Rollback Demonstration

**Objective:** Demonstrate transaction rollback by:
1. Starting a transaction
2. Making a change (INSERT or UPDATE)
3. Rolling back the transaction
4. Verifying that the data was NOT changed

**Rollback Syntax:**
```python
cursor.execute("BEGIN")
cursor.execute("INSERT ...")
conn.rollback()  # Undo all changes since BEGIN
```

**Why rollback?**
- If an error occurs mid-transaction, rollback ensures no partial changes are saved
- Maintains data consistency

**Write your rollback demonstration below:**

In [None]:
# TASK 7: Demonstrate transaction rollback

print("=== ROLLBACK DEMONSTRATION ===")
print()

# Step 1: Count the current number of users
# cursor.execute("SELECT COUNT(*) FROM users")
# count_before = cursor.fetchone()[0]
# print(f"Users before transaction: {count_before}")
# print()

# Step 2: Start a transaction and try to insert a user
# cursor.execute("BEGIN")
# cursor.execute("INSERT INTO users (username, email, created_at) VALUES (?, ?, datetime('now'))",
#                ("rollback_test", "rollback@test.com"))
# print("User inserted (not yet committed)")
# print()

# Step 3: Verify the insertion happened (before rollback)
# cursor.execute("SELECT COUNT(*) FROM users")
# count_after_insert = cursor.fetchone()[0]
# print(f"Users after INSERT (before rollback): {count_after_insert}")
# print()

# Step 4: Rollback the transaction
# conn.rollback()
# print("Transaction ROLLED BACK")
# print()

# Step 5: Verify the rollback worked (user count should be back to original)
# cursor.execute("SELECT COUNT(*) FROM users")
# count_after_rollback = cursor.fetchone()[0]
# print(f"Users after rollback: {count_after_rollback}")
# print()
# print(f"Rollback successful: {count_after_rollback == count_before}")

---

## TASK 8: Security Reflection (Markdown)

**Objective:** Answer the following questions in markdown below to demonstrate understanding of database security concepts.

**Answer the following questions:**

### Question 1: SQL Injection and Parameterized Queries
What is SQL injection and how do parameterized queries prevent it?

*Your answer here*

---

### Question 2: ACID Properties
What are ACID properties and why do they matter in database transactions?

*Your answer here*

---

### Question 3: Data Protection Laws
Name one data protection law (e.g., GDPR, CCPA) and explain how it affects database developers.

*Your answer here*

---

### Question 4: Principle of Least Privilege
What is the principle of least privilege, and how should it be applied in database security?

*Your answer here*