
# Connecting SQL to Python

In [1]:
import pandas as pd

# Markdown

Jupyter Notebooks accepts Markdown, which accepts SQL like syntax

```python
for i in range(10):
    print(i)
```

```mysql
SELECT movie_id,
       international_sales
  FROM movie_info
 WHERE id = 10;
```

# Datasets

In [2]:
movies = pd.read_csv('data/movies.csv')
movie_info = pd.read_csv('data/movie_info.csv')
buildings = pd.read_csv('data/buildings.csv')
employees = pd.read_csv('data/employees.csv')
cities = pd.read_csv('data/cities.csv')

In [21]:
movies

Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,2,A Bug's Life,John Lasseter,1998,95
2,3,Toy Story 2,John Lasseter,1999,93
3,4,"Monsters, Inc.",Pete Docter,2001,92
4,5,Finding Nemo,Andrew Stanton,2003,107
5,6,The Incredibles,Brad Bird,2004,116
6,7,Cars,John Lasseter,2006,117
7,8,Ratatouille,Brad Bird,2007,115
8,9,WALL-E,Andrew Stanton,2008,104
9,10,Up,Pete Docter,2009,101


# Connect to database

## We'll use an API (Application Programming Interface) to connect to our database.

SQLAlchemy is the Python SQL toolkit and Object Relational Mapper that gives application developers the full power and flexibility of SQL.

Install SQLAlchemy: `!pip install SQLAlchemy`

In [None]:
# For those using PostgreSQL
# WINDOWS:
# !pip install psycopg2

# for MACBOOK (MacOS) users, install the following:
# !pip install psycopg2-binary

In [None]:
#For those using MySQL
#!pip install pymysql

In [4]:
import sqlalchemy as db


To connect to a database you will usually pass something called `connection string` or `database url` For sqlalchemy it consists of:
- **DB server name** (`mysql`, `postgresql`, `mongodb`) --> official name: _dialect_ 
- **[+driver]** --> Optional driver name, the name of the API to connect with the DB (`psycopg2`, `pyodbc`) 
- ://**username:password** --> password you set up when created database on pgadmin4 for instance
- @**hostname** --> when running locally (`localhost` or `127.0.0.1`), in practice a url provided by the admin.
- /**database name** name of the specific database database you're connecting to (`dataft_202008_python`)

In [23]:
db.create_engine()

TypeError: create() missing 1 required positional argument: 'name_or_url'

In [12]:
# create the engine
engine = db.create_engine('postgresql+psycopg2://postgres:admin@localhost/dataft_python')

# open the connection
conn = engine.connect()
conn.close()

In [10]:
db_server = 'postgresql'
#db_server='pymysql'
user = 'postgres'
#user='root'
password = 'admin'
ip = 'localhost'
db_name = 'outronome'
#db_port = '3306'

# create the engine
engine = db.create_engine(f'{db_server}://{user}:{password}@{ip}/{db_name}')
#engine = db.create_engine(f'mysql+{db_server}://{user}:{password}@{ip}:{db_port}/{db_name}?charset=utf8')
# open the connection
conn = engine.connect()
#conn.close()

# CREATING TABLE via python

The pandas module has built-in functionalities that handles that for you ♥️

In [5]:
employees.head()

Unnamed: 0,role,name,years_employed,building
0,Engineer,Becky A.,4,Burj Khalifa
1,Engineer,Dan B.,2,Burj Khalifa
2,Engineer,Sharon F.,6,Burj Khalifa
3,Engineer,Dan M.,4,Burj Khalifa
4,Engineer,Malcom S.,1,Burj Khalifa


In [12]:
employees.to_sql(name='employees', con=conn)

ValueError: Table 'employees' already exists.

In [13]:
employees.to_sql(name='employees', con=conn, if_exists='replace')

In [14]:
employees.to_sql(name='employees', con=conn, if_exists='replace', index=False)

## READING TABLE via python

In [21]:
# run a query by specifying the query as a string in python 
pd.read_sql_query('SELECT * FROM employees;', con=conn)

Unnamed: 0,role,name,years_employed,building
0,Engineer,Becky A.,4,Burj Khalifa
1,Engineer,Dan B.,2,Burj Khalifa
2,Engineer,Sharon F.,6,Burj Khalifa
3,Engineer,Dan M.,4,Burj Khalifa
4,Engineer,Malcom S.,1,Burj Khalifa
5,Artist,Tylar S.,2,Empire State
6,Artist,Sherman D.,8,Empire State
7,Artist,Jakob J.,6,Empire State
8,Artist,Lillia A.,7,Empire State
9,Artist,Brandon J.,7,Empire State


## You can read a table directly 

In [None]:
pd.read_sql_table('employees', con=conn)

In [None]:
pd.read_sql('employees', con=conn)

# Inserting all tables into database:

In [22]:
movies.to_sql('movies', conn, if_exists='replace', index=False)
employees.to_sql('employees', conn, if_exists='replace', index=False)
cities.to_sql('cities', conn, if_exists='replace', index=False)
movie_info.to_sql('movie_info', conn, if_exists='replace', index=False)
buildings.to_sql('buildings', conn, if_exists='replace', index=False)

## Let's check that

In [23]:
query = '''
SELECT id, 
       title, 
       director
  FROM movies'''

In [26]:
#import pprint
#pp = pprint.PrettyPrinter(width=41, compact=True)
#pp.pprint(query)
pd.read_sql(query, con=conn)

Unnamed: 0,id,title,director
0,1,Toy Story,John Lasseter
1,2,A Bug's Life,John Lasseter
2,3,Toy Story 2,John Lasseter
3,4,"Monsters, Inc.",Pete Docter
4,5,Finding Nemo,Andrew Stanton
5,6,The Incredibles,Brad Bird
6,7,Cars,John Lasseter
7,8,Ratatouille,Brad Bird
8,9,WALL-E,Andrew Stanton
9,10,Up,Pete Docter


## Important to understand

Note that when you `pd.read_sql('SELECT * FROM table')`, you are effectivelly sending the string to the PostgreSQL server and the code is being executed **there!** ♥️. Nothing is being executed on Python. The result is then transfered to Python and transformed into a dataframe. But if you have a HUGE table in your database, you can perform the operations there and then bring only the results to your pandas dataframe.

-----------

# SQL review via mini-challenges.

## SELECT queries

For the `movies` table:

1. Find the title of each film
2. Find the director of each film
3. Find the title and director of each film
4. Find the title and year of each film
5. Find all the information about each film

In [None]:
query = '''
SELECT title 
  FROM movies;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 3 

query = '''
SELECT title, 
       director 
  FROM movies'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 5

query = 'SELECT * FROM movies'

pprint(query)
df = pd.read_sql(query, con=conn)
df

In [None]:
pd.read_sql(query, con=conn).describe()

## WHERE clause - filters

1. Find the movie with a row id of 6 and 3
2. Find the movies released in the years between 2000 and 2010
3. Find the movies not released in the years between 2000 and 2010
4. Find the first 5 Pixar movies and their release year (suppose id is given in order)

In [None]:
query = '''
SELECT * 
  FROM movies
 WHERE id = 3 OR id = 6;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT * 
  FROM movies
 WHERE id IN (3,6,9);
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
my_tuple = (3, 6, 4)
my_tuple

In [None]:


query = f'''
SELECT * 
  FROM movies
 WHERE id IN {my_tuple};
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
selected_movie = input('Which movie?')

In [None]:
query = f'''
SELECT * 
  FROM movies
 WHERE title = '{selected_movie}';
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = f'''
SELECT * FROM movies
UNION ALL
SELECT * FROM movies
;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
queries = ['SELECT * FROM movies' for i in range(96)]
query = '\nUNION ALL\n'.join(queries)

In [None]:
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
tables = ['boleto', 'cartao','cheque','dda']
anomes = ['201901','201902','201903']

In [None]:
queries = []

for table in tables:
    for ref in anomes:
        my_table = f'financial_network_{table}_{ref}'
        queries.append(f'{my_table}')
        
print('\nUNION ALL\n'.join(queries))

In [None]:
# 3

query = '''
SELECT *
  FROM movies
 WHERE year >= 2000 AND year < 2010 
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT *
  FROM movies
 WHERE year BETWEEN 2000 AND 2009 
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 4

query = '''
SELECT *
  FROM movies
 WHERE year NOT BETWEEN 2000 AND 2009 
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 4

query = '''
SELECT *
  FROM movies
 WHERE year NOT BETWEEN 2000 AND 2009 
'''

pprint(query)
pd.read_sql(query, con=conn).sort_values(by='length_minutes')

## LIKE clause, % and _

1. Find all the Toy Story movies
2. Find all the movies directed by John Lasseter
3. Find all the movies (and director) not directed by John Lasseter
4. Find all the WALL-* movies

In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title LIKE 'Toy %'
 """
pprint(query)
pd.read_sql(query, conn)


### Regex PostgreSQL

In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title ~ 'Toy [Ss]tory \d'
"""

pd.read_sql(query, conn)

In [None]:

query = """
SELECT * 
  FROM movies 
 WHERE title LIKE 'Toy Story _'
 """
pprint(query)
pd.read_sql(query, conn)


In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title ~ '^[A-F].*'
"""

pd.read_sql(query, conn)

## ORDER BY clause, DISTINCT, OFFSET

1. List all directors of Pixar movies (alphabetically), without duplicates
2. List the last four Pixar movies released (ordered from most recent to least)
3. List the first five Pixar movies sorted alphabetically
4. List the next five Pixar movies sorted alphabetically

In [None]:
# 1

query = '''
SELECT DISTINCT director 
  FROM movies
 ORDER BY director ASC
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 1

query = '''
SELECT director 
  FROM movies
 ORDER BY director ASC
'''
pprint(query)
pd.read_sql(query, con=conn).drop_duplicates()

In [None]:
query = '''
SELECT director 
  FROM movies
 GROUP BY director
 ORDER BY director
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 4

query = '''
SELECT * 
  FROM movies
 ORDER BY title
 LIMIT 5
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 5

query = '''
SELECT * 
  FROM movies
 ORDER BY title
 LIMIT 5 
 OFFSET 5
'''
pprint(query)
pd.read_sql(query, con=conn)

-------------

## JOINS - Inner joins

From tables `movies` and `movie_info`

1. Find the domestic and international sales for each movie
2. Show the sales numbers for each movie that did better internationally rather than domestically
3. List all the movies by their ratings in descending order

In [None]:
pd.read_sql('movie_info', con=conn)

In [None]:
query = '''
SELECT *
  FROM movies AS A
       LEFT JOIN
       movie_info B
    ON A.id = B.movie_id
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT A.*,
       B.domestic_sales,
       B.international_sales
  FROM movies AS A
       LEFT JOIN
       movie_info B
    ON A.id = B.movie_id
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       LEFT JOIN
       movie_info AS MI
    ON M.id = MI.movie_id
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       LEFT JOIN
       movie_info AS MI
    ON M.id = MI.movie_id
 WHERE MI.international_sales > MI.domestic_sales
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       movie_info AS MI
    ON M.id = MI.movie_id AND MI.international_sales > MI.domestic_sales;
'''

pprint(query)
pd.read_sql(query, con=conn)

### Optimizing the query using subqueries:

In [None]:
pd.read_sql('SELECT * FROM movie_info WHERE international_sales > domestic_sales', con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       (SELECT movie_id, international_sales, domestic_sales FROM movie_info WHERE international_sales > domestic_sales) AS MI
    ON M.id = MI.movie_id
 
'''

pprint(query)
pd.read_sql(query, con=conn)

### Organizing stuff using `Common Table Expressions (CTEs)`
The `WITH` syntax

https://www.geeksforgeeks.org/sql-with-clause/

In [None]:
query = '''

WITH international_better AS (
-- This table contains information where sales are better internationally
SELECT movie_id,
       international_sales,
       domestic_sales
  FROM movie_info 
 WHERE international_sales > domestic_sales
),
-- bring sales info from international_better table
joined_table AS (
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       international_better AS MI
    ON M.id = MI.movie_id
)
SELECT id,
       title,
       director,
       year,
       length_minutes, 
       domestic_sales,
       international_sales
  FROM joined_table
 
'''

pprint(query)
pd.read_sql(query, con=conn)

## JOINS - Outer joins + NULLs

From table `buildings` and `employees`

1. Find the list of all buildings that have employees
2. Find the list of all buildings and their height
3. List all buildings and the distinct employee roles in each building (including empty buildings)
4. Find the name and role of all employees who have not been assigned to a building
5. Find the names of the buildings that hold no employees

In [None]:
query = 'SELECT role, name, building FROM employees WHERE building IS NULL'
pprint(query)
pd.read_sql(query, con=conn)

## Performing calculations inside queries

- `CASE WHEN` syntax

From tables `movies` and `movie_info`: 

0. Create a variable called `fl_post_millenium` which results in 1 if the year is >= 2000 else 0
1. List all movies and their combined sales in millions of dollars
2. List all movies and their ratings in percent
3. List all movies that were released on even number years

In [None]:
# 0: CASE WHEN
query = '''
SELECT A.id,
       A.title,
       A.director,
       A.year,
       A.length_minutes,
       B.rating,
       (CASE WHEN A.year >= 2000 THEN 1 ELSE 0 END) AS fl_post_millenium
  FROM movies AS A
       INNER JOIN
       movie_info AS B
    ON A.id = B.movie_id   
    ;
'''
pprint(query)
pd.read_sql(query, con=conn)

# Group by's and aggregations - MAX, AVG, SUM

From tables `employees` and `buildings`

1. Find the longest time that an employee has been at the Empire State
2. For each role, find the average number of years employed by employees in that role
3. Find the total number of employee years worked in each building

In [None]:
pd.read_sql('SELECT AVG(years_employed) FROM employees', con=conn)

In [None]:
# 1 

query = '''
SELECT role, 
       AVG(years_employed) AS avg_years,
       COUNT(years_employed) AS qtd_linhas
  FROM employees
 GROUP BY role;
'''

pd.read_sql(query, con=conn)

In [None]:
employees.groupby(by='role', as_index=False).agg(avg_years = ('years_employed', 'mean'))

In [None]:
# 1 

query = '''
SELECT director, 
       COUNT(*)
  FROM movies
 GROUP BY director;
'''

pd.read_sql(query, con=conn)


In [None]:
# 1 

query = '''
SELECT director, 
       SUM(CASE WHEN year > 2000 THEN 1 ELSE 0 END) AS qtd_movies_after_2000
  FROM movies
 GROUP BY director;
'''

pd.read_sql(query, con=conn)

In [None]:
# 1 

query = '''
SELECT director, 
       COUNT(*) AS qtd_movies_after_2000
  FROM movies
 WHERE year >= 2000
 GROUP BY director;
'''

pd.read_sql(query, con=conn)

-- The order of SQL queries: 
> https://jvns.ca/blog/2019/10/03/sql-queries-don-t-start-with-select/ (really good blog)

----

# EXTRA: ❌ DANGER ❌


# SQL Injection


0. Search for vulnerabilities.
> `inurl:index.php?id=1`

1. Enter the website 

2. Check if it is vulnerable to SQL-injection 
> plug a backtick (`) at the end of the id=1 query

> https://security.stackexchange.com/questions/121204/dumping-custom-query-via-sql-injection-when-output-is-in-the-die-function

**Important Note**: SQL injection is not legal. Train elsewhere https://ringzer0ctf.com/

In [None]:
df = pd.DataFrame(data=[('andre','admin'), 
                        ('matheus','qwerty'),
                        ('rai','1234567890'), 
                        ('lucas','0987654321')], 
                  columns=['username', 'password'])

In [None]:
df

In [None]:
df.to_sql('user_info', con=conn, if_exists='replace', index=False)

In [None]:
user = 'andre'
password = 'adminashdiuyhasoiudhuiuasldhoasd'

pd.read_sql(f"SELECT * FROM user_info WHERE username = '{user}' AND password = '{password}'", con=conn)

In [None]:
def check_access(user, password):
    
    query = f"SELECT * FROM user_info WHERE username = '{user}' AND password = '{password}'"
    pprint(query)
    df = pd.read_sql(query, con=conn)
    
    if df.shape[0] != 0:
        print('ACCESS GRANTED!')
    else:
        print('ACCESS DENIED!')
    

In [None]:
check_access('andre', 'admin')

In [None]:
check_access("andre'-- ", 'japsduiofjhoiasjdfpojaspdfoijasdpof')

In [None]:
check_access("joao' OR 1=1 -- ", 'ahsiodoiuasuhdas')

In [None]:
pd.read_sql("SELECT * FROM user_info WHERE username = 'joao' OR 1=1", con=conn)

In [None]:
user = "andre\\' --"

In [None]:
f"SELECT * FROM user_info WHERE username = '{user}'"

In [None]:
pd.read_sql(db.text(f"SELECT * FROM user_info WHERE username = '{user}'"), con=conn)