## Learning Outcomes:

1. Connecting to our database using SQLAlchemy
1. SQLite
1. The SQLAlchemy ORM
1. Working with the Session object


In [1]:
# Prerequisites - Install SQLAlchemy
%pip install SQLAlchemy

Collecting SQLAlchemy
  Downloading sqlalchemy-2.0.44-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (9.5 kB)
Collecting greenlet>=1 (from SQLAlchemy)
  Downloading greenlet-3.2.4-cp312-cp312-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl.metadata (4.1 kB)
Downloading sqlalchemy-2.0.44-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.3 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m3.3/3.3 MB[0m [31m20.2 MB/s[0m  [33m0:00:00[0m eta [36m0:00:01[0m
[?25hDownloading greenlet-3.2.4-cp312-cp312-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl (607 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m607.6/607.6 kB[0m [31m18.6 MB/s[0m  [33m0:00:00[0m
[?25hInstalling collected packages: greenlet, SQLAlchemy
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m2/2[0m [SQLAlchemy]2[0m [SQLAlchemy]
[1A[2KSuccessfully installed SQLAlchemy-2.0.44 greenlet-3.2.4
Note: you may need to restart the kernel to u

# Connecting to our database using SQLAlchemy

SQLAlchemy is an open-source Python library for working with relational databases.

SQLAlchemy has both a Core component, which allows us to work directly with the database, and an ORM component, which allows us to work with Python objects that are mapped to database tables. We'll start by examining the Core.

Note: Some of this lesson is adapted from the official SQLAlchemy unified tutorial at https://docs.sqlalchemy.org/en/20/tutorial/index.html


In [2]:
# Required imports
from sqlalchemy import create_engine, text

In [3]:
# The connection string is a URI that specifies the DBMS and database we want to connect to.
# The general format of the connection string is:
# DBMS://Username:Password@Host:Port/Database
connection_string = "sqlite:///lesson.db"

# The core object of SQLAlchemy is the engine, which represents the DBMS.
# The create_engine() function takes a single required argument, which is the connection string.
# The echo flag will enable us to see the SQL statements generated.
engine = create_engine(connection_string, echo=True)

# with the engine, we can now connect to the database, and execute SQL statements.
# To enter literal SQL statements in SQLAlchemy, we need to use text()
with engine.connect() as conn:
    result = conn.execute(text("SELECT 'First Query in SQAlchemy!'"))
    rows = result.all()
print(type(rows), rows)
print(type(rows[0]), rows[0])

print(f"We got: {rows[0][0]}")


2025-12-01 14:55:15,513 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 14:55:15,524 INFO sqlalchemy.engine.Engine SELECT 'First Query in SQAlchemy!'
2025-12-01 14:55:15,580 INFO sqlalchemy.engine.Engine [generated in 0.06602s] ()
2025-12-01 14:55:15,601 INFO sqlalchemy.engine.Engine ROLLBACK
<class 'list'> [('First Query in SQAlchemy!',)]
<class 'sqlalchemy.engine.row.Row'> ('First Query in SQAlchemy!',)
We got: First Query in SQAlchemy!


In [4]:
# Note that by default, SqlAlchemy rolls back the transaction after the with block is done.
# In the above read-only example, it was ok. But if we want to make changes, we need to commit the transaction.
# To do so, we need to use conn.commit() at the end of the block (or even multiple times).

# In the following example, we'll actually store some data in the database.
with engine.connect() as conn:
    conn.execute(text("CREATE TABLE cubes (x int, y int)"))
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (0, 0), (1, 1), (2, 8)"),
    )
    conn.commit()

2025-12-01 14:58:06,965 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 14:58:06,967 INFO sqlalchemy.engine.Engine CREATE TABLE cubes (x int, y int)
2025-12-01 14:58:06,967 INFO sqlalchemy.engine.Engine [generated in 0.00256s] ()
2025-12-01 14:58:06,975 INFO sqlalchemy.engine.Engine INSERT INTO cubes (x, y) VALUES (0, 0), (1, 1), (2, 8)
2025-12-01 14:58:06,976 INFO sqlalchemy.engine.Engine [generated in 0.00076s] ()
2025-12-01 14:58:06,977 INFO sqlalchemy.engine.Engine COMMIT


In [5]:
# Let us check that the values we inserted are there:
with engine.connect() as conn:
    result = conn.execute(text("SELECT * FROM cubes"))
    rows = result.all()

print("Method 1 to print the rows: ")
for row in rows:
    print(f"The cube of {row[0]} is {row[1]}")

print("Method 2 to print the rows: ")
for index in range(len(rows)):    
    print(f"The cube of {rows[index][0]} is {rows[index][1]}")

print("Method 3 to print the rows: ")
for index in range(len(rows)):    
    print(f"The cube of {rows[index].x} is {rows[index].y}")


2025-12-01 14:58:39,354 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 14:58:39,356 INFO sqlalchemy.engine.Engine SELECT * FROM cubes
2025-12-01 14:58:39,357 INFO sqlalchemy.engine.Engine [generated in 0.00238s] ()
2025-12-01 14:58:39,358 INFO sqlalchemy.engine.Engine ROLLBACK
Method 1 to print the rows: 
The cube of 0 is 0
The cube of 1 is 1
The cube of 2 is 8
Method 2 to print the rows: 
The cube of 0 is 0
The cube of 1 is 1
The cube of 2 is 8
Method 3 to print the rows: 
The cube of 0 is 0
The cube of 1 is 1
The cube of 2 is 8


In [6]:
# Let's say you want to add a dynamic value to the table, based on user input.
# you might be tempted to do something like this
# BUT DON'T DO IT!
name = input("Please enter your name: ")

with engine.connect() as conn:
    conn.execute(text("DROP TABLE IF EXISTS Students"))
    conn.execute(text("CREATE TABLE Students (name varchar)"))
    conn.execute(
        text(f"INSERT INTO Students (name) VALUES ('{name}')"),
    )
    conn.commit()

2025-12-01 15:00:35,557 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 15:00:35,558 INFO sqlalchemy.engine.Engine DROP TABLE IF EXISTS Students
2025-12-01 15:00:35,559 INFO sqlalchemy.engine.Engine [generated in 0.00257s] ()
2025-12-01 15:00:35,560 INFO sqlalchemy.engine.Engine CREATE TABLE Students (name varchar)
2025-12-01 15:00:35,560 INFO sqlalchemy.engine.Engine [generated in 0.00046s] ()
2025-12-01 15:00:35,564 INFO sqlalchemy.engine.Engine INSERT INTO Students (name) VALUES ('jack')
2025-12-01 15:00:35,565 INFO sqlalchemy.engine.Engine [generated in 0.00060s] ()
2025-12-01 15:00:35,566 INFO sqlalchemy.engine.Engine COMMIT


# SQL Injection:

This is a very famous comic from XKCD:

![image.png](https://imgs.xkcd.com/comics/exploits_of_a_mom_2x.png)
https://imgs.xkcd.com/comics/exploits_of_a_mom_2x.png

In [7]:
import sqlite3

# Connect to SQLite file
conn2 = sqlite3.connect("injection_demo.db")
cursor = conn2.cursor()

# Create the table
cursor.execute("DROP TABLE IF EXISTS Students")
cursor.execute("CREATE TABLE Students (name TEXT)")

name = "Anand"

# Vulnerable: direct string formatting
sql = f"INSERT INTO Students (name) VALUES ('{name}')"
cursor.executescript(sql)  # <-- executes multiple statements

conn2.commit()

In [8]:
# Let's recreate the injection from the comic using raw sql queries
# Malicious input
name = "Robert'); DROP TABLE Students; --"

# Vulnerable: direct string formatting
sql = f"INSERT INTO Students (name) VALUES ('{name}')"

def logger(statement):
    print("[SQL]", statement)

conn2.set_trace_callback(logger)

cursor.executescript(sql)  # <-- executes multiple statements

conn2.commit()

[SQL] INSERT INTO Students (name) VALUES ('Robert');
[SQL]  DROP TABLE Students;


In [10]:
# Let's recreate the injection from the comic this time using sqlalchemy
# Assume a malicious user entered the following name, and let's see the SQL that will be executed
name = "Robert'); DROP TABLE Students; --"

with engine.connect() as conn:
    conn.execute(text("CREATE TABLE IF NOT EXISTS Students (name varchar)"))
    conn.execute(
        text(f"INSERT INTO Students (name) VALUES ('{name}')"),
    )
    conn.commit()

# Note that thankfully SQLAlchemy prevented this one, by only allowing us to execute one statement at a time
# And hence you should see an error message when you run this block

2025-12-01 15:03:00,877 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 15:03:00,878 INFO sqlalchemy.engine.Engine CREATE TABLE IF NOT EXISTS Students (name varchar)
2025-12-01 15:03:00,879 INFO sqlalchemy.engine.Engine [cached since 20.26s ago] ()
2025-12-01 15:03:00,882 INFO sqlalchemy.engine.Engine INSERT INTO Students (name) VALUES ('Robert'); DROP TABLE Students; --')
2025-12-01 15:03:00,882 INFO sqlalchemy.engine.Engine [cached since 20.26s ago] ()
2025-12-01 15:03:00,883 INFO sqlalchemy.engine.Engine ROLLBACK


ProgrammingError: (sqlite3.ProgrammingError) You can only execute one statement at a time.
[SQL: INSERT INTO Students (name) VALUES ('Robert'); DROP TABLE Students; --')]
(Background on this error at: https://sqlalche.me/e/20/f405)

In [11]:
# Parameterized queries

# The correct way to add dynamic values to a query is to use the following approach,
# with inputs as "placeholder" parameters to the query, each prefixed with a colon.

with engine.connect() as conn:
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (:x, :y)"),
        [{"x": 3, "y": 9}, {"x": 4, "y": 16}],
    )
    rows = conn.execute(text("SELECT * FROM cubes")).all()
    conn.commit()

print(f"The rows are: {rows}")
# Note that the above approach is not only safer, but also more efficient,
# as the DBMS can cache the query and reuse it for different values of the parameters.

2025-12-01 15:03:38,154 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 15:03:38,158 INFO sqlalchemy.engine.Engine INSERT INTO cubes (x, y) VALUES (?, ?)
2025-12-01 15:03:38,158 INFO sqlalchemy.engine.Engine [generated in 0.00462s] [(3, 9), (4, 16)]
2025-12-01 15:03:38,161 INFO sqlalchemy.engine.Engine SELECT * FROM cubes
2025-12-01 15:03:38,163 INFO sqlalchemy.engine.Engine [cached since 298.8s ago] ()
2025-12-01 15:03:38,164 INFO sqlalchemy.engine.Engine COMMIT
The rows are: [(0, 0), (1, 1), (2, 8), (3, 9), (4, 16)]


In [12]:
# Regarding the commit() function, note that the style above is called "commit as you go"
# If we know we'd only want to commit at the end of the block, we can use .begin() to commit automatically.

with engine.begin() as conn:
    conn.execute(
        text("INSERT INTO cubes (x, y) VALUES (:x, :y)"),
        {"x": 5, "y": 25}, # If we just want to add a single row, we don't need the list
    )
    rows = conn.execute(text("SELECT * FROM cubes")).all()


print(f"The rows are: {rows}")

2025-12-01 15:05:00,299 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 15:05:00,301 INFO sqlalchemy.engine.Engine INSERT INTO cubes (x, y) VALUES (?, ?)
2025-12-01 15:05:00,302 INFO sqlalchemy.engine.Engine [generated in 0.00083s] (5, 25)
2025-12-01 15:05:00,303 INFO sqlalchemy.engine.Engine SELECT * FROM cubes
2025-12-01 15:05:00,304 INFO sqlalchemy.engine.Engine [cached since 380.9s ago] ()
2025-12-01 15:05:00,305 INFO sqlalchemy.engine.Engine COMMIT
The rows are: [(0, 0), (1, 1), (2, 8), (3, 9), (4, 16), (5, 25)]


In [13]:
# Instead of getting all the rows, we can also iterate over the result set.
with engine.connect() as conn:
    result = conn.execute(text("SELECT x, y FROM cubes"))
    for x,y in result:
        print(f"The cube of {x} is {y}")
    # Note that each row behaves as a "named tuple", so we can access the columns by name or by index

2025-12-01 15:05:19,465 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-12-01 15:05:19,467 INFO sqlalchemy.engine.Engine SELECT x, y FROM cubes
2025-12-01 15:05:19,468 INFO sqlalchemy.engine.Engine [generated in 0.00321s] ()
The cube of 0 is 0
The cube of 1 is 1
The cube of 2 is 8
The cube of 3 is 9
The cube of 4 is 16
The cube of 5 is 25
2025-12-01 15:05:19,469 INFO sqlalchemy.engine.Engine ROLLBACK


**For practice try creating another table called sqaures, add some values, read them and print them out.**