# Using SQL with Python

IDBS 2025 Fall

Omar Shahbaz Khan

## ODBC

When working with a database in any language it is often done through an ODBC driver and a package / library to use its API.

Open Database Connecitivity ensures that whichever underlying database vendor you are using, the API remains the same.

Making it a database and language agnostic API.

This is great for businesses and programmers as it doesn't bind us to one database platform. 

Although, sometimes companies do prefer more specialized libraries for a database to make full use of all its specialized functionalities.

#### ODBC in Python

In Python, the most common packages/modules for databases is `pyodbc` and `sqlalchemy`.

Alternatively, we can also use specialized packages for databases such as `duckdb`, `psycopg` (Postgres), `snowflake`, `sqlite3`, etc.

Fortunately, these specialized packages also conform to the ODBC API, so in case you need to migrate from one to another, you can keep most of the code as is.

But be wary and check their documentation before choosing.

For instance while I prefer using `psycopg` when working with Postgres databases, it only recently added support for the common SQL variable placeholder using `$1, $2, ...`.

In this course we will be using the `duckdb` package, since it is easy to install and use, and follows the ODBC API. 

To install the package:

```bash
python -m pip install --user duckdb
```

After this you should be able to import the package as below. 

In [1]:
import duckdb

## Fundamentals

This section covers basics of Python that should enable you to work with the language, and more specifically using it to work with SQL databases.

If you are already familiar with Python, skim through it or skip ahead to the Working with DuckDB section.

### Jupyter Notebook

There are many ways to work with Python.

Full on project structures, simple scripts, from the terminal (`ipython`), or with notebooks.

Jupyter Notebooks are easy to work with and allow you to add text blocks (markdown), or code blocks.

Great for note taking with code, and to write examples for how to run a project / library etc.

You can get the Jupyter Notebook extension on VS Code.

Download this notebook from learnIT to play around with the code yourself.

### Hello, World!

Let's start by creating our first python script.

Create a file called `my_script.py` and add the following lines of code:

In [61]:
print("Hello, World!")
str_value: str = "Hello, World! (String)"
print(str_value)

str_value = 42
print(str_value)

Hello, World!
Hello, World! (String)
42


To run the script open a terminal in the folder where the file is and run the command `python my_script.py`

The first line simply prints "Hello, World!".

The second line assigns the string "Hello, World! (String)" to the variable `str_value`, and the third line prints the variable.

The following two lines reassigns `str_value` to the integer 42 and prints it.

If you are used to type safe languages such as Java, C, C++, this may seem confusing.

In those type safe languages, values are defined with types and remain that type for the duration of the program / scope.

Python is **not type safe**. To check if a variable is an instance of a specific type we can use the `isinstance()` function.

In [62]:
# Check type of str_value
print(isinstance(str_value, str))
print(isinstance(str_value, int))

False
True


### Functions

Functions or methods in Python are fairly straightforward.

```python
def <function_name>(<arguments>):
    # Do somethingâ€¦ (# is used to make comments, similar to //)
    return 42 # If no return statement it returns None
```

Note that as Python is not a pure Object Oriented Programming language such as Java, nothing requires to be in classes to run.

If a function is defined in my script, I can call it. 

One caviat with this is that the call to the function or variable has to be below its definitions since Python is run time interpreted, 
meaning that it executes code in a script line-by-line from top to bottom.

Notebooks can avoid this since everything depends on the cells you execute during the session.

Below we have two functions, one that simply prints "Hello, World!" and one that prints it with a prefix, supplied by the functions argument.

Note how none of the hints are enforced by the second function from the function calls below.


In [63]:
def hello_world():
    print('Hello, World!')

# -> None is a return hint, but as you can see it is not enforced 
# since it returns an integer
def hello_world_with_args(prefix: str) -> None:
    print(f"{prefix}: Hello, World!")
    return 42


In [64]:
hello_world() 
hello_world_with_args("Greeting")
# Even though prefix has a type hint ': str' 
# you can call it with other types as well
hello_world_with_args(1.0)
hello_world_with_args([1, 2, 3])

Hello, World!
Greeting: Hello, World!
1.0: Hello, World!
[1, 2, 3]: Hello, World!


42

You may have noticed by now if your coming from Java, that there is no such things as semi-colon's (`;`) to end an expression or curly brackets (`{}`) to set the scope for a block of code.

Instead in Python new lines indicates end of an expression, unless there is an open parentheses, line-break indicator `\`, or triple quote paragraph indicator `"""`.

As for functions, classes, and if statements, to indicate the code that belongs to them is indented below them after a colon `:`.

The most common error for beginner programmers in Python is `IndentationError` for a reason.

Don't worry you get good at it the more you use it and syntax checkers fortunately catch these, but logical error can still pop up now and then if you went out of scope (decrease indent level) too early.

### Importing Packages

A big part of programming in Python is getting used to importing packages or files.

You can either import the entire module or specific function, classes, or variables from them.

Here we are importing the `datetime` class from the `datetime` module:

In [65]:
# Importing the datetime class from the datetime module
from datetime import datetime

print(datetime.now().isoformat())

2025-10-25T20:07:46.177854


Try adding the following function in your `my_script.py` file

```python
def add(a, b):
    return a + b
```

We can now import this function either by importing the entire script, ```import my_script as ms```, or only the function using the same approach as above.

In [66]:
# Import the newly added function from my_script.py
from my_script import add

add(2, 3)

5

Any `.py` file can be imported into another.

When a package/file is imported it is essentially run from top to bottom.

This does mean if you have code in the global scope, not in a function or class etc., it will be run if it is above the imported part.

For instance, if you added the function below the previous print statements, when the import statement is run it will execute these statements.

To avoid this from happening when importing you can add the following `if`-clause: `if __name__ == "__main__":`, and move all the print statements below it (indented of course) 

I leave it up to you to play around with this.


### Strings with variables

A core part of working with databases from another language requires string manipulation / building to write the perfect query strings for the task.

Let's go over some of the ways we can use variables with strings in python.

We will use two variable `count = 10` and `source = "Steam"` for this part.

In [67]:
count = 10
source = "Steam"

The most basic way to build a string with variables is to use `+` concatenation.

This is tried and tested and works in most programming languages.

Note that we have to cast `count` to a `string` when using this method. 

In [68]:
# Regular concatenation using +
cmb_str = "Shopping cart has " + str(count) + " items"
print(cmb_str)
cmb_str = "Shopping cart has " + str(count) + " items from " + source
print(cmb_str)

Shopping cart has 10 items
Shopping cart has 10 items from Steam


A more pythonic way of workign with strings is to use string replacement.

String replacement allows us to specify where we want a variable to be in the string.

This also comes with the added benefit of autocasting to string if it expects a string, but can also ensure that the variables are of a speicific primitive type.

The placeholders in the strings are the following:
```python
"%s" # String
"%d" # Integer 
"%f" # Float 
"%.2f" # Float rounded to 2 decimals (can be any specified length)
"%x" # Hex
```

For most cases `"%s"` is used.

The way it works is quite simple, create a string with placeholders and attach a variable, tuple, or dictionary for the replacements.

In [69]:
# Using string replacement with %s, %d (int), %f (float), %x (hex) etc.
cmb_str = "Shopping cart has %d items" % count
print(cmb_str)

# Automatic conversion to string for count
cmb_str = "Shopping cart has %s items from %s" % (count, source)
print(cmb_str)

# Named placeholders for repeated use. 
# The \ indicates a line break in the statement, 
# so it knows the next line is part of the statement
cmb_str = "Shopping cart has %(cnt)d items from %(src)s. " \
          "It was exactly %(cnt)s items." \
          % { 'cnt': count, 'src': source } 
print(cmb_str)

Shopping cart has 10 items
Shopping cart has 10 items from Steam
Shopping cart has 10 items from Steam. It was exactly 10 items.


The last method I want to go over is formatted string literals or f-strings.

This method allows us to add or variables inside the string using curly brackets e.g. `{count}`.

To use this approach we add an `f` before the starting quote and that's it.

I prefer to use this approach most often, unless I have to repeat a variable multiple times to which I go to the placeholder with dictionary method.

In [70]:
# Using formatted string literals
cmb_str = f"Shopping cart has {count}"
print(cmb_str)
cmb_str = f"Shopping cart has {count} items from {source}"
print(cmb_str)

Shopping cart has 10
Shopping cart has 10 items from Steam


### Lists and Dictionaries

In Python specialized syntax can be somewhat confusing for newcomers when it comes to lists and dictionaries.

A list in Python is similar to an ArrayList from Java. It can be created in many ways.

Below is an example showing how to initialize a list with three integers, and using the `append()` function to add a fourth integer.

In [71]:
int_list = [1, 2, 3]
print(int_list)

int_list.append(4)
print(int_list)

[1, 2, 3]
[1, 2, 3, 4]


Similar to everything else in Python, the list is not type safe.

We can add whatever types we want. 

I hope this goes without saying, but having lists with various types in them is really bad practice and should be avoided.

In [72]:
int_list.append('what')
print(int_list)

[1, 2, 3, 4, 'what']


Another way to create lists that you will likely come across is list comprehension for creating lists from containers or ranges in a single line.

An example is the best way to understand this.

In [73]:
# List with integers 0-9
for_list = []
for i in range(10):
    for_list.append(i)
print(for_list)

# THREE LINES OF CODE, OH NO!

# Using list comprehension
for_list = [ i for i in range(10) ]
print(for_list)

# Useful also with containers
# A list of tuples (int, string, int) -> (id, name, price)
tuple_list = [(1, 'latte', 20), (2, 'espresso', 15), (3, 'americano', 10)]
print(tuple_list)

price_list = [ t[2] for t in tuple_list ]
print(price_list)

[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
[(1, 'latte', 20), (2, 'espresso', 15), (3, 'americano', 10)]
[20, 15, 10]


Dictionaries in Python are simply key-value stores.

Where the key and value can be of any type (again no type safety) 

In [74]:
dict_example = {}
dict_example['a_key'] = [2, 4]
dict_example[3] = 'key can have another type'

print(dict_example)

{'a_key': [2, 4], 3: 'key can have another type'}


In [75]:
# Create dictionary with multiple keys and values at once:
dict_example = {
    'a_key': [2,4],
    3: 'key can have another type'
}

# Print 4 from 'a_key'
print(dict_example['a_key'][1])

4


## Working with DuckDB

This part goes over how we can connect with DuckDB and perform SQL operations.

### Connecting to a database

DuckDB supports connecting to a database file or start an in-memory database session through the `connect()` function which takes a connection string as its argument (compliant with ODBC).

Remember to close the connection once you are done with it, to not result in potential inconsistent states.

In [2]:
# Importing duckdb with an alias db for the next few examples
import duckdb as db

In [77]:

# Connect to database file
conn = db.connect("db_file.db")
conn.close()

In [78]:
# Connect to in-memory database
conn = db.connect(":memory:")
conn.close()
# Does the same
conn = db.connect()
conn.close()

Note that DuckDB supports multiple connections, but they have to be of the same type (regular read-write connection, or read only connection).

Furthermore, a connection object is not thread safe in Python so in a multithreaded scenario it is best to use a connection per thread instead of sharing the same connection, or use cursors (more on this in a bit).

To start a read only connection you just specify the read_only argument with True.

In [79]:
conn1 = db.connect("db_file.db", read_only=True)
conn2 = db.connect("db_file.db", read_only=True)
conn1.close()
conn2.close()

To ensure a connection is always closed after you are done using it or an error occurs, we can use a `try-except-finally` block (similar to `try-catch-finally` in Java).

In [80]:
conn = None
try:
    conn = db.connect("db_file.db")
    # Do database operations here
except Exception as e:
    print(f"An error occurred: {e}")
finally:
    if conn is not None:
        conn.close()

Another way to do this is to use the `with` context block.

A `with` context block is a scoped block for a variable, meaning that once you exit the block it will call the variables underlying destructor which in case of database connections is their close() function.

In [3]:
# Connect using a with context block
# db.connect("db_file.db") is assigned to conn
with db.connect("db_file.db") as conn:
    # Run stuff here
    print(f"Running stuff with {conn.execute("SELECT 'hi'").fetchone()[0]}")
# conn.close() is automatically called here

Running stuff with hi


### Running SQL statements using with context block

Now that we know how to connect to a database in duckdb and properly close it, let's start running some SQL.

In the ODBC API there are two functions that are used for runing SQL queries, `execute()` and `sql()`.

They do the same thing, however, `execute()` is better suited for queries with variables.

I prefer to only use `execute()` as to not cause unnecessary confusion, but if you look at online tutorials / documentations you may come across it hence why I mention it here.

Let's start by creating a table and inserting some data.

In [4]:
# Running SQL Statements (with context block)
import duckdb

# I still put this in a try-except block to catch potential errors
try:
    with duckdb.connect(":memory:") as conn:
        # Create a table
        conn.execute(
            # Triple quotes allow multi-line strings
            """
            create table superhero (
                id int primary key, 
                name string not null
            )
            """
        )
        # Insert data
        conn.execute(
            """
            insert into superhero values 
            (1, 'Superman'), (2, 'Batman'), (3, 'Wonder Woman'), (4, 'Spider-Man')
            """
        )
except duckdb.Error as e:
    print(e)

In [83]:
# Running SQL Statements (try-except-finally)
import duckdb

conn = None
try:
    # Create connection
    conn = duckdb.connect(":memory:")
    # Craete a table
    conn.execute(
        # Triple quotes allow multi-line strings
        """
        create table superhero (
            id int primary key, 
            name string not null
        )
        """
    )
    # Insert data
    conn.execute(
        """
        insert into superhero values 
        (1, 'Superman'), (2, 'Batman'), (3, 'Wonder Woman'), (4, 'Spider-Man')
        """
    )
except duckdb.Error as e:
    print(e)
finally:
    if conn is not None:
        conn.close()


As you can see once you are inside the execute function, all you need to do is write a regular SQL statement and that's it.

You can now run SQL with Python. :D

Well we still need to read data from tables to be profecient.

### Querying the DB

To run a query to fetch data from a table, is hopefully somewhat clear to you from the previous section.

Yes, we do use `execute()` with a query string again! :)

However, the results of a query are not returned when execute is called.

Instead they are stored within the connections context / state (if the query is called using the connection object, more on this in a moment).

To get the resulting rows out of the context / state we can use the following functions: `fetchone()`, `fetchmany(n)`, and `fetchall()`

Their names are pretty self explanatory, aside from these `duckdb` has some specialized output choices such as `fetchdf()` which returns a `pandas` dataframe (good for smaller scale analytical processing in python)

`fetchone()` returns a single tuple, from which you can get extract indiviual values by selecting the output column's index (0-based). And in case you forgot, columns are specified in the `SELECT` clause.
`fetchmany()` and `fetchall()` return a list of tuples, where each tuple represts a row.


Let's return our focus to the database we created with the superhero table and select all the rows from it.

In [84]:
# Print names of superheroes
try:
    with duckdb.connect(":memory:") as conn:
        conn.execute('select name from superhero') # Stores query in conn
        # Loop through results which are row tuples 
        # As in ('Superman',); ('Batman',); ('Wonder Woman',); ('Spider-Man',)
        for n in conn.fetchall():
            print(f'Name: {n[0]}')
except duckdb.Error as e:
    print(e)

Catalog Error: Table with name superhero does not exist!
Did you mean "pg_proc"?
LINE 1: select name from superhero
                         ^


Whoops, this did not run. Oh right, we didn't create the tables in a persistent database and only in-memory, therefore it lost all its information when it was closed.

To avoid this we can either make a persistent database or add it inside the previous code block. Going with option 2 here as I don't want to add more unnecessary files to this world.

In [85]:
import duckdb
try:
    with duckdb.connect(":memory:") as conn:
        # Create a table
        conn.execute(
            # Triple quotes allow multi-line strings
            """
            create table superhero (
                id int primary key, 
                name string not null
            )
            """
        )
        # Insert data
        conn.execute(
            """
            insert into superhero values 
            (1, 'Superman'), (2, 'Batman'), (3, 'Wonder Woman'),
            (4, 'Spider-Man')
            """
        )
        conn.execute('select name from superhero') # Stores query in conn
        # Loop through results which are row tuples 
        # As in ('Superman',); ('Batman',); ('Wonder Woman',); ('Spider-Man',)
        for n in conn.fetchall():
            print(f'Name: {n[0]}')
except duckdb.Error as e:
    print(e)

Name: Superman
Name: Batman
Name: Wonder Woman
Name: Spider-Man


### A Little Detour: Set up exercise 6 Coffeeshop database

For the remaining part of this notebook we will be using the coffeeshop database which was used in Exercise 6.

The exercise focuses on the web app shown in Lecture 6. 

You can download the repository containing the Python version of the app from this repository:

github.com/ITU-DASYALab/introdb2025coffeeshop-python

You can use the following command to download it into your folder via the terminal if you have an SSH key attached to GitHub:

```bash
git clone git@github.com:ITU-DASYALab/introdb2025coffeeshop-python.git
```

Otherwise, use the https link or download the project as a zip from the website:
```bash
git clone https://github.com/ITU-DASYALab/introdb2025coffeeshop-python.git
```


The project follows the three tier software architecture with a data layer (database with DuckDB) - business logic layer (Python with FastAPI) - interface (HTML/CSS/JS).

The database consists of the following three tables:

```
User (username, email, password)
Product (productname, price, description)
Purchase (purchasetime, productname, username)
```

Let's start by initializing the database and persisting it into a file `coffee.db`. 

You can use this command in Windows CMD (not Powershell) and Mac/Linux terminal:

```bash
duckdb coffee.db < init.sql
```

You can also use the `.read` command from the `duckdb` interactive command line environment.

Or use the DuckDB UI / DBeaver. 

### Querying with multiple tables

Now that the database is created, let's connect to it in Python and read some of the data from the different tables.

In [8]:
db_add = 'introdb2025coffeeshop-python/coffee.db'

In [2]:
import duckdb

# Connect to the DuckDB file
conn = duckdb.connect("coffee.db")

# List all tables
tables = conn.execute("SHOW TABLES").fetchall()

for t in tables:
    print(t[0])

conn.close()


In [4]:
conn = None
try:
    conn = duckdb.connect('introdb2025coffeeshop-python/coffee.db')

    # Print the first products (fetchone)
    first_coffee = conn.execute("select * from product").fetchone()
    print('first_coffee:', first_coffee)
    # Since the query still has remaining rows the conn object keeps the context stored
    # Print second coffee
    second_coffee = conn.fetchone()
    print('second_coffee:', second_coffee)

    # Print all the users (fetchall)
    all_users = conn.execute("select * from user").fetchall()
    print('all_users:', all_users)

    # Print first two purchases (fetchmany)
    first_2_purchases = conn.execute("select * from purchase").fetchmany(2)
    print('first_2_purchases:', first_2_purchases)
    # Since the query still has remaining rows the conn object keeps the context stored
    # Print the third purchase
    third_purchase = conn.fetchone()
    print('third_purchase:', third_purchase)

    # Print the remaining coffees
    remaining_coffees = conn.fetchall()
    print('remaining_coffees:', remaining_coffees)
    # What is stored in the remaining_coffees variable?
    # Returns [] if there is no rows remaining from last query
    # fetchone() returns None in such cases
except duckdb.Error as e:
    print(e)
finally:
    if conn is not None:
        conn.close()


first_coffee: ('Tea', 20, 'Used for our large collection of delicious teas')
second_coffee: ('Small', 17, 'Espresso, Americano, Cortado, and Cappuccino')
all_users: [('Anna', 'anna@itu.dk', 'test'), ('Martin', 'mhent@itu.dk', 'test'), ('Omar', 'omsh@itu.dk', 'test')]
first_2_purchases: [(datetime.datetime(2025, 9, 11, 9, 55), 'Tea', 'Martin'), (datetime.datetime(2025, 9, 12, 10, 3), 'Small', 'Martin')]
third_purchase: (datetime.datetime(2025, 9, 12, 10, 5), 'Small', 'Omar')
remaining_coffees: [(datetime.datetime(2025, 9, 12, 10, 6), 'Large', 'Omar'), (datetime.datetime(2025, 9, 19, 9, 0), 'Small', 'Martin')]


In [25]:
conn = None
try:
    conn = duckdb.connect('introdb2025coffeeshop-python/coffee.db')

    # Print the first products (fetchone)
    user = conn.execute("select * from purchase").fetchall()
    print('first_coffee:', user)
    
except duckdb.Error as e:
    print(e)
finally:
    if conn is not None:
        conn.close()

first_coffee: [(datetime.datetime(2025, 9, 11, 9, 55), 'Tea', 'Martin'), (datetime.datetime(2025, 9, 12, 10, 3), 'Small', 'Martin'), (datetime.datetime(2025, 9, 12, 10, 5), 'Small', 'Omar'), (datetime.datetime(2025, 9, 12, 10, 6), 'Large', 'Omar'), (datetime.datetime(2025, 9, 19, 9, 0), 'Small', 'Martin')]


So are we only able to run and get results from one query at a time?

That seems quite bad, since many tasks may require intertwining query results.

For instance, you want to use the results from one query to influence another query, but the first query is too large for memory if you use fetchall().

Instead you can use a `while`-loop to process one row at a time with `fetchone()`, and in the loop run the second query.

To be able to do such things and also get the correct results for the above example we can use *cursors*, 
which make a new connection to the database from the existing connection and have their own context.

In [87]:
conn = None
try:
    conn = duckdb.connect('coffee.db')

    with conn.cursor() as coffee_cur: # = conn.cursor()
        # A cursor is an object that can run queries and keep its own state
        first_coffee = coffee_cur.execute("select * from product").fetchone()
        print('first_coffee:', first_coffee)
        second_coffee = coffee_cur.fetchone()
        print('second_coffee:', second_coffee)

        all_users = conn.execute("select * from user").fetchall()
        print('all_users:', all_users)

        first_2_purchases = conn.execute("select * from purchase").fetchmany(2)
        print('first_2_purchases:', first_2_purchases)
        third_purchase = conn.fetchone()
        print('third_purchase:', third_purchase)

        remaining_coffees = coffee_cur.fetchall()
        print('remaining_coffees:', remaining_coffees)

    # Remember to close the cursors as well
    # coffee_cur.close()
except duckdb.Error as e:
    print(e)
finally:
    if conn is not None:
        conn.close()


first_coffee: ('Tea', 20, 'Used for our large collection of delicious teas')
second_coffee: ('Small', 17, 'Espresso, Americano, Cortado, and Cappuccino')
all_users: [('Anna', 'anna@itu.dk', 'test'), ('Martin', 'mhent@itu.dk', 'test'), ('Omar', 'omsh@itu.dk', 'test')]
first_2_purchases: [(datetime.datetime(2025, 9, 11, 9, 55), 'Tea', 'Martin'), (datetime.datetime(2025, 9, 12, 10, 3), 'Small', 'Martin')]
third_purchase: (datetime.datetime(2025, 9, 12, 10, 5), 'Small', 'Omar')
remaining_coffees: [('Large', 20, 'Caffee latte, Chai latte, Macha latte, and cocoa'), ('Fancy', 25, 'Iced/dirty versions of Large drinks')]


If you have an applications where multiple users can access functions that will run different queries in multithreaded fashion, using cursors is a great choice.

Another option is to start a new connection to the persistent database in every function, as seen in the functions of `app.py` in the coffeeshop application.

This works well for DuckDB because the cost of opening a connection to an embedded database (DuckDB, SQLite) is minimal. 

If it was to a server database, it would be better to use a pool of connections and in each function work with a cursor instead of directly with a connection.

In exercise 6 you can assume a single user is working with your web application so this is not a big deal.

If you are interested in a little bonus task, try converting it to use a global connection and use cursors in the functions instead. Remember to put the global connection in a try-except-finally block to ensure it is closed gracefully upon exit or crash.

### Login function for the Coffeeshop Web App

Let's look into how we can implement a login function for the web app.

Assume that we are given the following arguments `username` and `password`.

We have to return an access token if there is a matching user in our `User` table.

Essentially, a basic `select-from-where` query with a fetchone() that will either return a row or `None`.

In [5]:
# Important imports for the following code to run
import duckdb
from pydantic import BaseModel
from fastapi import HTTPException

Throughout this entire notebook I have stated that Python is not type safe so we have to validate them ourselves.

Luckily for us, there is already a package in Python that can be used to validate types in a class.

The package is `pydantic`, and by inheriting `BaseModel` when decaring a class it adds a field validator for the type hints.

So the `Login` class below with `username: str` and `password: str` will only accept strings.

In [10]:
# Class with two fields
class Login(BaseModel):
	username: str
	password: str

def login(info: Login):
    try:
        with duckdb.connect(db_add) as conn:
            conn.execute(
                f"""
                select *
                from user
                where username = '{info.username}' and password = '{info.password}'
                """
            ) 
            user = conn.fetchone()
            if user is not None:
                return {'access_token': user[0], 'token_type': 'bearer'}
            else:
                return {}
    except duckdb.Error as e:
        print(e)
        return HTTPException(400, detail=e)

Now let's try to check if the function works.

In [11]:
login(info=Login(username="Martin", password='test'))

{'access_token': 'Martin', 'token_type': 'bearer'}

In [12]:
login(info=Login(username="Martin", password='1234'))

{}

Awesome, it correctly returns an access token for Martin when provided the correct password and nothing with the wrong password.

This seems a little too easy, there must be a catch somewhere...

Let me try another type of input.

In [13]:
login(info=Login(username="Martin'; --", password='1234'))

{'access_token': 'Martin', 'token_type': 'bearer'}

Hmm, seems like we are prone to SQL injections.

### SQL Injections

In real world applications we allow user inputs.

These inputs are used as parameters in SQL queries or statements

A SQL injection attempt is when someone modifies the user input to run queries and commands on the database

They're actually quite easy to deal with.

Simply separate the query string and the data it will use.

In other words prepare the query string with placeholders for the parameters

This is what we refer to as Prepared Statements

So the problem with the login functions query was that we were including the variables in the query string, as in doing any of these:

```python
conn.execute(f"select * from user where username = '{info.username}' and password = '{info.password}'")
conn.execute("select * from user where username = " + info.username + " and password = " + info.password)
conn.exectue("select * from user where username = '%s' and password = '%s'" % (info.username, info.password))
conn.execute("select * from user where username = '%(user)s' and password = '%(pass)s'" % {'user': info.username, 'pass': info.password})
```

All of these are prone to SQL injections. To avoid this we can prepare the query either using `?` or `$1, $2, ...` as placeholders.

`execute` takes a second argument which is a list or tuple of values, that will be used to replace the placeholders in the query string.

```python
conn.execute("select * from user where username=? and password=?", [info.username, info.password])
conn.execute("select * from user where username=$1 and password=$2", [info.username, info.password])
```


In [16]:
# Class with two fields
class Login(BaseModel):
	username: str
	password: str

def login(info: Login):
	try:
		with duckdb.connect(db_add) as conn:
			# SQL injection begone
			conn.execute(
				"select * from user where username = ? and password = ?",
				[info.username, info.password]
			)
			if conn.fetchone() is not None:
				return {'access_token': info.username, 'token_type': 'bearer'}
			else:
				return {}
	except duckdb.Error as e:
		print(e)
		return HTTPException(400, detail=e)

In [17]:
login(info=Login(username="Martin'; --", password='1234'))

{}

The last thing to cover is that not every query string that uses some external variable can be prepared.

Notable examples of these are columns used in `ORDER BY`-clauses or `INSERT INTO` statements.

To protect against such cases, we have to add some validation ourselves to ensure the column names or whatever non-preparable SQL part is in fact valid.

In the below `ORDER BY` example, a list of valid columns is being used to validate the sorting column variable `sort_key`.

In [95]:
# Example: Get products ordered by a specified column
with duckdb.connect(db_add) as conn:
    # Sort on this column. Assume this was an argument from the web application calling this code
    sort_key = 'price'
    conn.execute(f"select * from product order by {sort_key}").fetchall()

    # Better to check if sort_key is valid
    valid_columns = ["productname", "price", "description"]

    # If the sort_key is valid, run the query
    if sort_key in valid_columns:
        res = conn.execute(f"select * from product order by {sort_key}").fetchall()
    # Otherwise, use a default sort order
    else:
        res = conn.execute("select * from product order by productname").fetchall()
    print(res)

[('Small', 17, 'Espresso, Americano, Cortado, and Cappuccino'), ('Tea', 20, 'Used for our large collection of delicious teas'), ('Large', 20, 'Caffee latte, Chai latte, Macha latte, and cocoa'), ('Fancy', 25, 'Iced/dirty versions of Large drinks')]



### Exercise 6

With the concepts covered in these slides/notebook/PDF, you should be able to solve Exercise 6

The functions you need to address are in app.py and you can search for `TODO` to quickly navigate to them.

In the beginning of the file are the imports and relevant classes used for inputs in some of the functions.

Specifically, you have to implement the following functions:

* `insert_user(new_user: Registration)`
* `get_user_purchases(session: str)`
* `insert_purchase(purchase: PurchaseRequest)`

To run the application open 2 terminals

* Terminal 1 will be used to start the web page. Go to the web folder and run `python -m http.server 8080`
  * This starts the web app on http://localhost:8080

* Terminal 2 is going to run the Python server (app.py). Use the following command to run it `python app.py`
  * **Note:** When you make a change to app.py, you need rerun this command to see the change