[< __INTRO MODULE 5__](./0.Introduction.ipynb)

## Index:
- [Introduction](#introduction)
- [What SQLlite is made of](#what-sqllite-is-made-of)
- [Creating a database](#creating-a-database)
    - [In-memory database](#in-memory-database)
- [Talking with the DBMS with SQL](#talking-with-the-dbms-with-sql)
    - [Creating a TODO table](#creating-a-todo-table)
    - [Generating the tasks table](#creating-the-tasks-table)
    - [Adding rows into task table](#adding-rows-into-task-table)
- [Executing SQL commands](#executing-sql-commands)
    - [Avoiding SQL injection](#avoiding-sql-injection)
    - [Executing multiple queries](#executing-multiple-queries)

---

## Introduction

The database management system (DBMS) is the software responsible for:

- Creating a database structure;
- Inserting, updating, deleting, and searching data;
- Ensuring data security;
- Transaction management;
- Ensuring concurrent access to data for many users;
- Enabling data exchange with other database systems.

There are many free and paid database management systems on the market.

The most popular of them include:

| __FREE__ |	__PAID__|
|---|---|
| `MySQL`, `PostgreSQL`, `SQLite` | `Oracle Database`, `Microsoft SQL Server`, `IBM DB2` |

![DBMS ICONS](./media/dbms_icons.png)

---

## What SQLlite is made of

SQLlite is one of the most popular databases in the world, in fact, it is a C library that allows users to read and write data directly to a file, since the database is still a single file.

We can find SQLlite in multiple systems, for example, in the mobile phone itself to persist the data of an application.

Therefore, we can say that this database does not need to work on a remote server to perform its functions, i.e., the client (who launches queries) and server (who stores the data) can be on the same computer, in addition, this has an installable so it does not require any additional configuration to work.

But well, for our case we don't care about the installable part since Python has a module already integrated in it called `sqllite3` which provides an interface with DB-API 2.0 described in [PEP 249](https://peps.python.org/pep-0249/).

That is, with the following command line we could already use SQLlite in python:

- `import sqlite3`

> __NOTE__: This module is available in python from version 2.5 onwards.

---

## Creating a database

As we have said before, SQLlite is a C library that allows to read and write over files, then, when working with `sqlite3` from python what we will end up doing is to interact with a file (which we can place in the directory that we prefer inside our project).


In the example bel we generate the connection against the database. In case this file does not exist it will be generated in the directory that we indicate.

In [2]:
import sqlite3

# If you don't set a concrete path (aka conn = sqlite.connect(hello_world_bd.db))
# it will create the path in the folder where the script has been executed
conn = sqlite3.connect('./persistance/hello_world_bd.db')


### In-memory database

You can also create a database in memory (`RAM`), i.e., the data stored in this database will persist until the system terminates the program or shuts down. To do this, the literal `:memory:` must be sent as an argument when instantiating the object with the database connection.

As an example, with the following line you could generate a database in memory this type of database:
```python
    import sqlite3

    conn = sqlite.connect(':memory:')
```

---

## Talking with the DBMS with SQL

SQL stans for __Structured Query Language__ and its used to create, modifying and managing relational databases.

As you might expect, `SQL` is not exclusive to `SQLlite`, but is used in relational databases such as MySQL or PostgreSQL. This language was created by IBM in the 1970s and, over the years, has been modified by different companies that used it in their products.

This led to the need to generate a standard in order to establish a concrete syntax.

As with the PEP, SQL has different standards, although it is important to note that __SQL-92__ is generally the most widely implemented, with some exceptions (which can be consulted in the following [link](https://www.sqlite.org/lang.html)).

![SQL](./media/sql.png)

---

## Creating a TODO table

As the title says, we are going to generate a database where we can store lists of tasks that we plan to do during the day, month or year. The structure of this database will consist of a single table called `tasks`, therefore, and in order not to generate extra files, we are going to reuse the database generated in the point of the guide ["Creating a database"](#creating-a-database).

> As a reminder, this database was located in the path [./persistance/hello_world_bd.db](./persistance/hello_world_bd.db).

The structure of the `tasks` table will be as follows:

![Table tasks](./media/table_tasks.png)

---

### Creating the tasks table

Through the image shown above, we can say that the `tasks` table is made up of three columns.

Specifically it would be:
- `id`: Which would have the unique identifier per record.
- name`: It corresponds to the task to be performed (a string)
- `priority`: Consists of the priority set for the task (an integer).

To generate tables we must use the language mentioned above, i.e. `SQL`. 

The structure that this type of code would have is the following:
```sql
    CREATE TABLE table_name (
        column1 datatype,
        column2 datatype,
        column3 datatype,
        ...
        columnN datatype,
    );
```

> __NOTE__: All existing datatype's can be consulted in the following [page](https://www.sqlite.org/datatype3.html).

Taking into account the needs of the tasks table and the SQL structure to generate tables we should generate a SQL code similar to this one:
```sql
CREATE TABLE tasks (
    id INTEGER PRIMARY KEY,
    name TEXT NOT NULL,
    priority INTEGER NOT NULL
);
```

> __NOTE__: If you notice, both the `name` and `priority` variables take the `NOT NULL` arguments. This statement prevents the user from creating records in the table without defining the name of the task or its priority.

---

### Adding rows into task table

With the previous SQL statement we will be able to generate the tasks table, however, we still need to know how we can generate records in our table. For this we can use the `INSERT INTO` statement.

This will allow us to include records in the table we want.

In SQL the statement to insert data into a table has the following format:
```SQL
INSERT INTO table_name (column1, column2, column3, ..., columnN)
VALUES (value1, value2, value3, ..., valueN);
```

Considering the format we could generate the following statement:
```SQL
INSERT INTO tasks (name, priority) VALUES ('My first task', 1);

// NOTE 1:
// INSERT INTO tasks (id, name, priority) VALUES(0, 'My first task', 1).

// NOTE 2:
// INSERT INTO tasks VALUES('My first task', 1)
```

> __NOTE 1__: Columns that are primary key (as is the case of `id` in the `tasks` table) do not have to be reported in the statement that inserts data, since the table itself automatically reports an (incremental) value as a unique identifier.

> NOTE 2: In the INSERT INTO statement it is not mandatory to inform the columns where the data will be inserted. It can be interesting to indicate the columns if we will only partially store the data. For example, let's say that the priority is not a necessary data to indicate. Then we should do `INSERT INTO tasks (id, name) VALUES (0, 'My first task')`.

---

## Executing SQL commands

What was shown above corresponded to SQL language to organise and work with the data contained in our database, however, what we need to know now is how we can execute it through Python.

Simply, this can be achieved through the `execute` method el cual es accesible a.

To achieve this we must generate a `cursor`, which will be the intermediary that will receive the SQL statements to send them over the established connection. This `cursor` contains the necessary methods to be able to send the SQL statements, such as `execute`.

For example, let's say we want to create the task DB and insert a first task we should execute the following script:

In [1]:
import sqlite3

conn = sqlite3.connect('./persistance/hello_world_bd.db')

c = conn.cursor()

# 1. Creation of the table if doesn't exist
c.execute('''CREATE TABLE IF NOT EXISTS tasks (
id INTEGER PRIMARY KEY,
name TEXT NOT NULL,
priority INTEGER NOT NULL
);''')

# 2. Insertion of data into the table
c.execute('INSERT INTO tasks (name, priority) VALUES (?,?)', ('My first task', 1))

<sqlite3.Cursor at 0x781078b95040>

With this we have already inserted a first value in the table.

---

### Avoiding SQL injection

If we look at the example above, in the second command the `execute` method accepts a second argument which is a `tuple` with two values.

```python
    ...

    # 2. Insertion of data into the table
    c.execute('INSERT INTO tasks (name, priority) VALUES (?,?)', ('My first task', 1))
```

The values in the `tuple` correspond to the `?` values in the SQL insert command. They are referenced in the same order as they are in the `tuple`, i.e. the first value refers to the data inserted in `name` (which will be `My first task` ) and the second value refers to the data inserted in `priority` (which will be `1`).

What we can ask ourselves is why not insert them directly in the SQL statement?

In this case it does not make much sense to apply something like this, since we ourselves are specifying what data will enter in each column, however, if the data arrives from a client it could be ill-intentioned, since it could intuit the code to be executed by the server and indicate that the inserted data is something like ....

```python
# Inputs from user
task_name = "1'); DROP TABLE tasks; --"
priority_value = "2"

# Statement created if the ? isn't used
SQL_statement = "INSERT INTO tasks (name, priority) VALUES ('1'); DROP TABLE tasks; --', 2)"
```

As we can see, if we generate the statement directly with the input received by the user we could generate a command like this, where we insert a single value and then delete the table.

This is where the second argument `execute` comes in, which will perform a check for us on what the user is going to insert.

---

## Accepting the changes made

We’re only one step away from inserting our first task in the database. All we're missing is to call the `commit` method provided by the Connection object.

The `commit` method confirms our changes (the current transaction). If you forget to call it, your changes won't be visible in the database.

In the example above, another method of the Connection object is used. The `close` method closes the database connection, e.g., after inserting all tasks.


In [None]:
conn.commit()
conn.close()


---

## Executing multiple queries 

It may be the case where the code working with the DB must execute multiple SQL statements to insert data with. The use of the `execute` method is not very efficient, as it implies that each statement must be iterated in some way in the script itself.

To solve this problem sqlite3 implements the `executemany` method which works very similar to `execute` with the difference that the second argument (instead of being a tuple with the values to be inserted in case of an `INSERT` with ??) is an array with the values to be inserted.

An example is given below:

In [2]:
import sqlite3

conn = sqlite3.connect('./persistance/hello_world_bd.db')
c = conn.cursor()
tasks = [
    ('My first task', 1),
    ('My second task', 5),
    ('My third task', 10),
]
c.executemany('INSERT INTO tasks (name, priority) VALUES (?,?)', tasks)
conn.commit()
conn.close()


---




---

[< __INTRO MODULE 5__](./Introduction.ipynb)