# PostgreSQL + Python

In [1]:
!pip install SQLAlchemy
!pip install psycopg2-binary



In [2]:
import os
import pandas as pd
from sqlalchemy import text, create_engine

**PART 1**: Connect to the database

**PART 2**: Run queries

### PART 1: Connect to the database

#### 1.1. In order to connect to any database, we need...

1. Username
2. Password
3. Port
4. Database
5. Host

```psql -U username -p port -d database -h host```

In [5]:
HOST = 'localhost' # you can swap this for your RDS endpoint
USERNAME = 'marija'
PORT = '5432'
DB = 'northwind'
PASSWORD = '*****'

Set your postgres password as environment variable.

1. Navigate to your home directory (type `cd` in your terminal)
2. Open your `.bashrc` or `.bash_profile` (if you use the bash shell) file in the text editor of your choice
3. Add the following line to your `.bashrc`/`.bash_profile` file: `export PG_PASSWORD='*****'`
4. After closing `.bashrc` file type `source ~/.bashrc` in the terminal
5. Open a new jupyter notebook session 

In [6]:
PASSWORD = os.getenv('PGPASSWORD')
PASSWORD

'titanic99'

#### 1.2. Create a connection string ("URL" for our database)

In [7]:
conn_string = f'postgresql://{USERNAME}:{PASSWORD}@{HOST}:{PORT}/{DB}'

In [8]:
conn_string_mac = f'postgresql://{HOST}:{PORT}/{DB}'

In [12]:
conn_string_mac

'postgresql://localhost:5432/northwind'

#### 1.3. Connect to your `northwind` database

In [9]:
engine = create_engine(conn_string)

In [10]:
engine

Engine(postgresql://marija:***@localhost:5432/northwind)

In [11]:
type(engine)

sqlalchemy.engine.base.Engine

#### 1.4. Execute your first query from Python!

In [18]:
query = '''
CREATE TABLE IF NOT EXISTS orders_berlin (
    order_id INT PRIMARY KEY,
    ship_via INT,
    ship_name TEXT
)
'''

In [19]:
engine.execute(query)

<sqlalchemy.engine.result.ResultProxy at 0x7fd8e863ea90>

Now go check in your database to make sure it worked!

### Part 2: Run queries

#### 2.1. SQL + Pandas

We'll use three of the Pandas functions that are similar to things you've already seen, `.to_sql`, `.read_sql_table`, `.read_sql_query`.

Let's first load some data from our northwind CSVs.

In [20]:
orders = pd.read_csv('../data/northwind-data/orders.csv')

In [21]:
orders.head()

Unnamed: 0,orderID,customerID,employeeID,orderDate,requiredDate,shippedDate,shipVia,freight,shipName,shipAddress,shipCity,shipRegion,shipPostalCode,shipCountry
0,10248,VINET,5,1996-07-04 00:00:00.000,1996-08-01 00:00:00.000,1996-07-16 00:00:00.000,3,32.38,Vins et alcools Chevalier,59 rue de l'Abbaye,Reims,,51100,France
1,10249,TOMSP,6,1996-07-05 00:00:00.000,1996-08-16 00:00:00.000,1996-07-10 00:00:00.000,1,11.61,Toms Spezialitäten,Luisenstr. 48,Münster,,44087,Germany
2,10250,HANAR,4,1996-07-08 00:00:00.000,1996-08-05 00:00:00.000,1996-07-12 00:00:00.000,2,65.83,Hanari Carnes,Rua do Paço 67,Rio de Janeiro,RJ,05454-876,Brazil
3,10251,VICTE,3,1996-07-08 00:00:00.000,1996-08-05 00:00:00.000,1996-07-15 00:00:00.000,1,41.34,Victuailles en stock,2 rue du Commerce,Lyon,,69004,France
4,10252,SUPRD,4,1996-07-09 00:00:00.000,1996-08-06 00:00:00.000,1996-07-11 00:00:00.000,2,51.3,Suprêmes délices,Boulevard Tirou 255,Charleroi,,B-6000,Belgium


In [24]:
orders_berlin = orders[orders['shipCity'] == 'Berlin'][['orderID', 'shipVia', 'shipName']]

In [25]:
orders_berlin

Unnamed: 0,orderID,shipVia,shipName
395,10643,1,Alfreds Futterkiste
444,10692,2,Alfred's Futterkiste
454,10702,1,Alfred's Futterkiste
587,10835,3,Alfred's Futterkiste
704,10952,1,Alfred's Futterkiste
763,11011,1,Alfred's Futterkiste


`.to_sql`

In [26]:
orders_berlin.to_sql('orders_berlin', engine, index=False, if_exists='replace')

* Instead of replacing, can also `append` or `fail`.

Look at your table description in `psql`. What do you notice? 

In [28]:
engine.execute('ALTER TABLE orders_berlin ADD PRIMARY KEY ("orderID")')

<sqlalchemy.engine.result.ResultProxy at 0x7fd8e863ea60>

`.read_sql_query`

In [29]:
query = '''
    SELECT order_id, ship_via, ship_name
    FROM orders
    WHERE ship_city='Berlin'
'''

In [32]:
pd.read_sql_query(query, engine)

Unnamed: 0,order_id,ship_via,ship_name
0,10643,1,Alfreds Futterkiste
1,10692,2,Alfred's Futterkiste
2,10702,1,Alfred's Futterkiste
3,10835,3,Alfred's Futterkiste
4,10952,1,Alfred's Futterkiste
5,11011,1,Alfred's Futterkiste


`.read_sql_table`

In [33]:
pd.read_sql_table('orders_berlin', engine)

Unnamed: 0,orderID,shipVia,shipName
0,10643,1,Alfreds Futterkiste
1,10692,2,Alfred's Futterkiste
2,10702,1,Alfred's Futterkiste
3,10835,3,Alfred's Futterkiste
4,10952,1,Alfred's Futterkiste
5,11011,1,Alfred's Futterkiste


#### 2.2. Running queries directly in the database

In [35]:
print(query)


    SELECT order_id, ship_via, ship_name
    FROM orders
    WHERE ship_city='Berlin'



In [36]:
engine.execute(query)

<sqlalchemy.engine.result.ResultProxy at 0x7fd8fa1e91f0>

In [37]:
list(engine.execute(query))

[(10643, 1, 'Alfreds Futterkiste'),
 (10692, 2, "Alfred's Futterkiste"),
 (10702, 1, "Alfred's Futterkiste"),
 (10835, 3, "Alfred's Futterkiste"),
 (10952, 1, "Alfred's Futterkiste"),
 (11011, 1, "Alfred's Futterkiste")]

#### 2.3. Parametrized queries

##### Bad way!

String formatting the query

In [38]:
city = 'Berlin'

In [39]:
query_param1 = '''
    SELECT order_id, customer_id, shipped_date
    FROM orders
    WHERE ship_city = '%s'
''' %city

In [40]:
list(engine.execute(query_param1))

[(10643, 'ALFKI', datetime.datetime(1997, 9, 2, 0, 0)),
 (10692, 'ALFKI', datetime.datetime(1997, 10, 13, 0, 0)),
 (10702, 'ALFKI', datetime.datetime(1997, 10, 21, 0, 0)),
 (10835, 'ALFKI', datetime.datetime(1998, 1, 21, 0, 0)),
 (10952, 'ALFKI', datetime.datetime(1998, 3, 24, 0, 0)),
 (11011, 'ALFKI', datetime.datetime(1998, 4, 13, 0, 0))]

##### Good way!

Passing the parameter to `.execute`.

In [41]:
query_param2 = text('''
    SELECT order_id, customer_id, shipped_date 
    FROM orders 
    WHERE ship_city = :city
    AND ship_country = :country
''')

In [43]:
print(query_param2)


    SELECT order_id, customer_id, shipped_date 
    FROM orders 
    WHERE ship_city = :city
    AND ship_country = :country



In [44]:
param_dict = {'city': 'Berlin', 'country': 'Germany'}

In [45]:
list(engine.execute(query_param2, param_dict))

[(10643, 'ALFKI', datetime.datetime(1997, 9, 2, 0, 0)),
 (10692, 'ALFKI', datetime.datetime(1997, 10, 13, 0, 0)),
 (10702, 'ALFKI', datetime.datetime(1997, 10, 21, 0, 0)),
 (10835, 'ALFKI', datetime.datetime(1998, 1, 21, 0, 0)),
 (10952, 'ALFKI', datetime.datetime(1998, 3, 24, 0, 0)),
 (11011, 'ALFKI', datetime.datetime(1998, 4, 13, 0, 0))]

##### Exercise: Modify the parameter below to perform SQL injection / delete one of your tables

In [46]:
param = 'Misc'

In [47]:
query_injection = '''
    INSERT INTO categories (category_id, category_name)
    VALUES (100, '%s')
''' %param

(Because `category_id` is a primary key, you'll have to keep changing the value inserted for `category_id` (e.g. 101, 102...) as you're debugging.)

In [48]:
engine.execute(query_injection)

<sqlalchemy.engine.result.ResultProxy at 0x7fd8d8193730>

**YOUR TASK** Figure out what to replace the param string with, so that running your query drops the table orders_berlin

In [61]:
param = 'Misc ...'

In [62]:
query_injection = '''
    INSERT INTO categories (category_id, category_name)
    VALUES (200, '%s')
''' %param

In [63]:
engine.execute(query_injection)

<sqlalchemy.engine.result.ResultProxy at 0x7fd8e863e9d0>

This was just a quick introduction into sqlalchemy. In its full functionality it is a very powerful toolkit. If you are interested in learning more, or are working with databases in Python, start here: https://docs.sqlalchemy.org/en/13/core/tutorial.html

Things you can expect: `Table`, `Column`, `ForeignKey` objects, `.insert()`, `.select()`, `.join()` methods.