## Learning Outcomes:

1. Connecting to our database using SQLAlchemy
1. SQLite
1. The SQLAlchemy ORM
1. Working with the Session object


In [None]:
# Prerequisites - Install SQLAlchemy
%pip install SQLAlchemy

# Connecting to our database using SQLAlchemy

SQLAlchemy is an open-source Python library for working with relational databases.

SQLAlchemy has both a Core component, which allows us to work directly with the database, and an ORM component, which allows us to work with Python objects that are mapped to database tables. We'll start by examining the Core.

Note: Some of this lesson is adapted from the official SQLAlchemy unified tutorial at https://docs.sqlalchemy.org/en/20/tutorial/index.html


In [None]:
# Required imports
from sqlalchemy import create_engine, text

In [None]:
# The connection string is a URI that specifies the DBMS and database we want to connect to.
# The general format of the connection string is:
# DBMS://Username:Password@Host:Port/Database
connection_string = "sqlite:///lesson.db"

# The core object of SQLAlchemy is the engine, which represents the DBMS.
# The create_engine() function takes a single required argument, which is the connection string.
# The echo flag will enable us to see the SQL statements generated.
engine = create_engine(connection_string, echo=True)

# with the engine, we can now connect to the database, and execute SQL statements.
# To enter literal SQL statements in SQLAlchemy, we need to use text()
with engine.connect() as conn:
    result = conn.execute(text("SELECT 'First Query in SQAlchemy!'"))
    rows = result.all()
print(type(rows), rows)
print(type(rows[0]), rows[0])

print(f"We got: {rows[0][0]}")


In [None]:
# Note that by default, SqlAlchemy rolls back the transaction after the with block is done.
# In the above read-only example, it was ok. But if we want to make changes, we need to commit the transaction.
# To do so, we need to use conn.commit() at the end of the block (or even multiple times).

# In the following example, we'll actually store some data in the database.
with engine.connect() as conn:
    conn.execute(text("CREATE TABLE cubes (x int, y int)"))
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (0, 0), (1, 1), (2, 8)"),
    )
    conn.commit()

In [None]:
# Let us check that the values we inserted are there:
with engine.connect() as conn:
    result = conn.execute(text("SELECT * FROM cubes"))
    rows = result.all()

print("Method 1 to print the rows: ")
for row in rows:
    print(f"The cube of {row[0]} is {row[1]}")

print("Method 2 to print the rows: ")
for index in range(len(rows)):    
    print(f"The cube of {rows[index][0]} is {rows[index][1]}")

print("Method 3 to print the rows: ")
for index in range(len(rows)):    
    print(f"The cube of {rows[index].x} is {rows[index].y}")


In [None]:
# Let's say you want to add a dynamic value to the table, based on user input.
# you might be tempted to do something like this
# BUT DON'T DO IT!
name = input("Please enter your name: ")

with engine.connect() as conn:
    conn.execute(text("DROP TABLE IF EXISTS Students"))
    conn.execute(text("CREATE TABLE Students (name varchar)"))
    conn.execute(
        text(f"INSERT INTO Students (name) VALUES ('{name}')"),
    )
    conn.commit()

# SQL Injection:

This is a very famous comic from XKCD:

![image.png](https://imgs.xkcd.com/comics/exploits_of_a_mom_2x.png)
https://imgs.xkcd.com/comics/exploits_of_a_mom_2x.png

In [None]:
import sqlite3

# Connect to SQLite file
conn2 = sqlite3.connect("injection_demo.db")
cursor = conn2.cursor()

# Create the table
cursor.execute("DROP TABLE IF EXISTS Students")
cursor.execute("CREATE TABLE Students (name TEXT)")

name = "Anand"

# Vulnerable: direct string formatting
sql = f"INSERT INTO Students (name) VALUES ('{name}')"
cursor.executescript(sql)  # <-- executes multiple statements

conn2.commit()

In [None]:
# Let's recreate the injection from the comic using raw sql queries
# Malicious input
name = "Robert'); DROP TABLE Students; --"

# Vulnerable: direct string formatting
sql = f"INSERT INTO Students (name) VALUES ('{name}')"

def logger(statement):
    print("[SQL]", statement)

conn2.set_trace_callback(logger)

cursor.executescript(sql)  # <-- executes multiple statements

conn2.commit()

In [None]:
# Let's recreate the injection from the comic this time using sqlalchemy
# Assume a malicious user entered the following name, and let's see the SQL that will be executed
name = "Robert'); DROP TABLE Students; --"

with engine.connect() as conn:
    conn.execute(text("CREATE TABLE IF NOT EXISTS Students (name varchar)"))
    conn.execute(
        text(f"INSERT INTO Students (name) VALUES ('{name}')"),
    )
    conn.commit()

# Note that thankfully SQLAlchemy prevented this one, by only allowing us to execute one statement at a time
# And hence you should see an error message when you run this block

In [None]:
# Parameterized queries

# The correct way to add dynamic values to a query is to use the following approach,
# with inputs as "placeholder" parameters to the query, each prefixed with a colon.

with engine.connect() as conn:
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (:x, :y)"),
        [{"x": 3, "y": 9}, {"x": 4, "y": 16}],
    )
    rows = conn.execute(text("SELECT * FROM cubes")).all()
    conn.commit()

print(f"The rows are: {rows}")
# Note that the above approach is not only safer, but also more efficient,
# as the DBMS can cache the query and reuse it for different values of the parameters.

In [None]:
# Regarding the commit() function, note that the style above is called "commit as you go"
# If we know we'd only want to commit at the end of the block, we can use .begin() to commit automatically.

with engine.begin() as conn:
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (:x, :y)"),
        {"x": 5, "y": 25}, # If we just want to add a single row, we don't need the list
    )
    rows = conn.execute(text("SELECT * FROM cubes")).all()


print(f"The rows are: {rows}")

In [None]:
# Instead of getting all the rows, we can also iterate over the result set.
with engine.connect() as conn:
    result = conn.execute(text("SELECT x, y FROM cubes"))
    for x,y in result:
        print(f"The cube of {x} is {y}")
    # Note that each row behaves as a "named tuple", so we can access the columns by name or by index

**For practice try creating another table called sqaures, add some values, read them and print them out.**