# 14. Programming with databases

**GRA 4142 Data Management and Python Programming, Fall 2022**  
Jan Kudlicka (jan.kudlicka@bi.no)

## Connecting to a database and executing SQL statements

To be able to use a database in our Python programs we need to import and use a module that knows how to communicate with a relational database management system (RDBMS) where our database is stored. In this notebook we will work with an SQLite3 database (unlike the most client-server database systems, SQLite3 is a library-based database system that stores each database in a single file on your computer) and will use the *sqlite3* package:

In [1]:
import sqlite3 as db

Fortunately, what we will cover below can be directly applied to databases in other RDBMSs as well, as long there exist [PEP 249](https://www.python.org/dev/peps/pep-0249/)-compliant Python packages for these systems. PEP 249 specifies the application programming interface (API) that these database packages have to implement (in other words, what functions, classes, exceptions etc. must be implemented).

First, let's create a copy of the *sqltutorial.db* database (located in the same directory as the notebook), so that we can modify the database and have a simple way how to restore it.

If you use MacOS, Linux or other UNIX-based operating system, run the following cell:

In [2]:
!cp sqltutorial.db sqltutorial_copy.db

If you use Windows, run the following cell instead:

In [None]:
!copy sqltutorial.db sqltutorial_copy.db

Now, let's connect to the copied database. The parameters of the `connect` function depend on the RDBMS, for SQLite3 we need to specify the filename. Once connected to the database, we need to create a *cursor* object and use its `execute` method to run SQL statements against the database.

In [3]:
conn = db.connect("sqltutorial_copy.db", isolation_level=None)
# isolation_level=None means we will not need to "commit" changes we do.

# We need to enable foreign key support explicitly in SQLite3
# (it is off by default because of the backwards compatibility)
conn.execute("PRAGMA foreign_keys = 1")  

cursor = conn.cursor()

For queries, we can iterate over the cursor to get all rows (as tuples) in the result set:

In [8]:
cursor.execute("SELECT * FROM employee")

# Uncomment the following lines if you want to print the column names:
column_names = tuple(column[0] for column in cursor.description)
print(column_names)
print("⎯" * 200)

# Iterating over the cursor = iterating over all rows in the result set:
for row in cursor:  # the type of `row` is `tuple`
    print(row)

('id', 'last_name', 'first_name', 'year_of_birth', 'department_id', 'hour_salary', 'supervisor_id', 'note')
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
(1, 'Alnes', 'Bernt', 1967, 1, 200, 2, None)
(2, 'Fjelldal', 'Mads', 1953, 1, 250, None, None)
(3, 'Lekve', 'Karoline', 1980, 1, 195, 2, 'At maternity leave')
(4, 'Longva', 'Victor', 1978, 1, 190, 2, None)
(5, 'Nymo', 'Ingvar', 1976, 2, 240, 6, 'HSE manager')
(6, 'Bodin', 'Runar', 1969, 2, 240, None, None)
(7, 'Bakke', 'Alfred', 1960, 2, 180, 6, None)
(8, 'Vie', 'Tor', 1974, 2, 190, 6, None)
(9, 'Westgaard', 'Sten', 1975, 2, 190, 6, None)
(10, 'Liseth', 'Rakel', 1969, 3, 190, 13, None)
(11, 'Norman', 'Emil', 1982, 3, 170, 13, None)
(12, 'Dyrhaug', 'Atle', 1971, 3, 200, 13, None)
(13, 'Kvistad', 'Jens', 1952, 3, 230, None, None)
(14, 'Ulset', 'Lucas', 1983, 3, 170, 13, None)
(15, 'Kv

Alternatively, we can use the `fetchone`, `fetchmany` or `fetchall` methods to read one, a given number, or all rows from the result set:

In [13]:
cursor.execute("SELECT * FROM employee")

amount = 5
rows = cursor.fetchmany(amount)
while rows:
    print('Fetched a group of {} rows:'.format(amount))
    print(rows)
    print()
    rows = cursor.fetchmany(amount)

Fetched a group of 5 rows:
[(1, 'Alnes', 'Bernt', 1967, 1, 200, 2, None), (2, 'Fjelldal', 'Mads', 1953, 1, 250, None, None), (3, 'Lekve', 'Karoline', 1980, 1, 195, 2, 'At maternity leave'), (4, 'Longva', 'Victor', 1978, 1, 190, 2, None), (5, 'Nymo', 'Ingvar', 1976, 2, 240, 6, 'HSE manager')]

Fetched a group of 5 rows:
[(6, 'Bodin', 'Runar', 1969, 2, 240, None, None), (7, 'Bakke', 'Alfred', 1960, 2, 180, 6, None), (8, 'Vie', 'Tor', 1974, 2, 190, 6, None), (9, 'Westgaard', 'Sten', 1975, 2, 190, 6, None), (10, 'Liseth', 'Rakel', 1969, 3, 190, 13, None)]

Fetched a group of 5 rows:
[(11, 'Norman', 'Emil', 1982, 3, 170, 13, None), (12, 'Dyrhaug', 'Atle', 1971, 3, 200, 13, None), (13, 'Kvistad', 'Jens', 1952, 3, 230, None, None), (14, 'Ulset', 'Lucas', 1983, 3, 170, 13, None), (15, 'Kvien', 'Amalie', 1977, 4, 205, 16, None)]

Fetched a group of 5 rows:
[(16, 'Tveten', 'Thomas', 1968, 4, 260, None, None), (17, 'Lende', 'Marita', 1972, 4, 210, 16, None)]



## Prepared statements

To run SQL statements that use potentially unsafe data (e.g. data entered by users) we can (and **should**!) use prepared statements. A prepared statement is an SQL that uses placeholders (`?` in sqlite3) that will be replaced by the specified values in a secure way. (Note that other packages might use different placeholders, e.g. `%s`, more information [here](https://www.python.org/dev/peps/pep-0249/#paramstyle).)

For example, if we want to find employees born between two given years, and these are entered by user, we can use the following prepared statement:
```sql
SELECT * FROM employee WHERE year_of_birth BETWEEN ? AND ?
```
and specify a tuple with the values (that will replace the placeholders) as the second parameter when calling the `execute` method (remember a trailing comma if there is only one parameter in the tuple):

In [15]:
year_from = 1975
year_to = 1980

cursor.execute("SELECT * FROM employee WHERE year_of_birth BETWEEN ? AND ?", (year_from, year_to))
column_names = tuple(column[0] for column in cursor.description)
print(column_names)
print("⎯" * 200)

for row in cursor:
    print(row)

('id', 'last_name', 'first_name', 'year_of_birth', 'department_id', 'hour_salary', 'supervisor_id', 'note')
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
(3, 'Lekve', 'Karoline', 1980, 1, 195, 2, 'At maternity leave')
(4, 'Longva', 'Victor', 1978, 1, 190, 2, None)
(5, 'Nymo', 'Ingvar', 1976, 2, 240, 6, 'HSE manager')
(9, 'Westgaard', 'Sten', 1975, 2, 190, 6, None)
(15, 'Kvien', 'Amalie', 1977, 4, 205, 16, None)


## SQL injection

Why is it so important to use prepared statements? Consider the following program:

In [18]:
employee_id = input('Enter employee ID: ')

cursor.execute("SELECT * FROM employee WHERE id = {}".format(employee_id))

for row in cursor:
    print(row)

(1, 'Project Alfa, Uppsala', 210000, None, None, None, None, None)
(2, 'Project Bravo, Knivsta', 190000, None, None, None, None, None)
(3, 'Project Charlie, Stockholm', 420000, None, None, None, None, None)


This program does exactly what we want, as long we enter valid employee IDs. But what happens if you enter the following input?
```
0 UNION SELECT *, NULL, NULL, NULL, NULL, NULL FROM project
```

The query that gets executed is actually:
```sql
SELECT * FROM employee WHERE id = 0
UNION
SELECT *, NULL, NULL, NULL, NULL, NULL FROM project
```
returning the following rows:
```
(1, 'Project Alfa, Uppsala', 210000, None, None, None, None, None)
(2, 'Project Bravo, Knivsta', 190000, None, None, None, None, None)
(3, 'Project Charlie, Stockholm', 420000, None, None, None, None, None)
```

**Short exercise**. Why have we used NULLs in `*, NULL, NULL, NULL, NULL, NULL` in the query above?

This is an example of *SQL injection*: we were able to *insert* and execute our own SQL (selecting a list of projects) instead of the programmed SQL (information about a particular employee). 

If executing multiple statements were enabled (and they are in some database packages), we would be able to do even more damage:
```
0; DROP TABLE employee
```

**Always use prepared statements!**. Try to repeat the same experiment using the following code:

In [24]:
employee_id = input('Enter employee ID: ')

cursor.execute("SELECT * FROM employee WHERE id = ?", (employee_id,))
# Recall that we need to use a trailing comma if a tuple has only one element!

for row in cursor:
    print(row)

(7, 'Bakke', 'Alfred', 1960, 2, 180, 6, None)


## Exceptions

The *sqlite3* package supports following exceptions: 

- Warning
- Error
  - DatabaseError
    - IntegrityError 
    - ProgrammingError
    - OperationalError
    - NotSupportedError

Execute the following cells and notice the exception types. (As an exercise, try to identify errors in the SQL before you execute each cell.)

In [26]:
try:
    cursor.execute("INSERT INTO employee_project(employee_id, project_id, hours_spent) VALUES (2, 97, 100)")
except db.Error as e:
    print("Error: {} ({})".format(e, type(e)))

Error: FOREIGN KEY constraint failed (<class 'sqlite3.IntegrityError'>)


In [33]:
try:
    cursor.execute("SELECT * FROM employee WHERE id=?")
except db.Error as e:
    print("Error: {} ({})".format(e, type(e)))

Error: Incorrect number of bindings supplied. The current statement uses 1, and there are 0 supplied. (<class 'sqlite3.ProgrammingError'>)


In [35]:
try:
    cursor.execute("SELECT * FROM employee IF id=1")
except db.Error as e:
    print("Error: {} ({})".format(e, type(e)))

Error: near "id": syntax error (<class 'sqlite3.OperationalError'>)


## Closing the cursor and the connection

When we are finished executing SQL statements, we need to close the cursor and the connection:

In [36]:
cursor.close()
conn.close()

## Pandas with databases

There is also some database support in Pandas. In the database-related functions we will need to specify the database connection and there are a few alternatives we can use:

- An SQLite3 connection (as we have seen above).

- A database URL (a string) in the following form: `rdbms://username:password@host:port/database`.

  For example, `mysql://scott:tiger@localhost/foo` means the database *foo* stored on a MySQL server at *localhost* and using the username *scott* and the password *tiger* to authenticate.  

  For SQLite3 databases we only need to specify the filename in the URL, e.g. `sqlite:///sqltutorial_copy.db`.

- An [SQLAlchemy](https://www.sqlalchemy.org/) connection (created by calling the `sqlalchemny.create_engine` function with the database URL as the argument).

In [38]:
import pandas as pd

In [39]:
conn = db.connect("sqltutorial_copy.db", isolation_level=None)

To execute a query and get the result as a data frame we can use the `read_sql_query` function:

In [40]:
pd.read_sql_query("""
SELECT employee.id AS employee_id, employee.first_name, employee.last_name, employee.hour_salary,
       project.id AS project_id, title, cost_est, hours_spent
FROM employee, employee_project, project
WHERE employee_id=employee.id
  AND project_id=project.id
""", conn)

Unnamed: 0,employee_id,first_name,last_name,hour_salary,project_id,title,cost_est,hours_spent
0,1,Bernt,Alnes,200,1,"Project Alfa, Uppsala",210000,100
1,2,Mads,Fjelldal,250,3,"Project Charlie, Stockholm",420000,140
2,4,Victor,Longva,190,2,"Project Bravo, Knivsta",190000,80
3,7,Alfred,Bakke,180,1,"Project Alfa, Uppsala",210000,80
4,8,Tor,Vie,190,1,"Project Alfa, Uppsala",210000,910
5,8,Tor,Vie,190,3,"Project Charlie, Stockholm",420000,720
6,9,Sten,Westgaard,190,3,"Project Charlie, Stockholm",420000,310
7,10,Rakel,Liseth,190,3,"Project Charlie, Stockholm",420000,480
8,11,Emil,Norman,170,3,"Project Charlie, Stockholm",420000,460
9,12,Atle,Dyrhaug,200,2,"Project Bravo, Knivsta",190000,810


We can also store a data frame (or a series) in the database with the `to_sql` method:

In [43]:
df = pd.DataFrame([
    ['2021-05-31 00:00:00', 10.9, 54, 1022.8],
    ['2021-05-31 01:00:00', 10.4, 52, 1022.5],
    ['2021-05-31 02:00:00', 9.3, 53, 1022],
    ['2021-05-31 03:00:00', 10.1, 60, 1021.5],
    ['2021-05-31 04:00:00', 10.1, 58, 1021.2],
    ['2021-05-31 05:00:00', 11.6, 65, 1021.1],
    ['2021-05-31 06:00:00', 13.1, 65, 1020.9],
    ['2021-05-31 07:00:00', 15.2, 64, 1020.8],
    ['2021-05-31 08:00:00', 16.6, 62, 1020.9],
    ['2021-05-31 09:00:00', 16.4, 55, 1021],
    ['2021-05-31 10:00:00', 16.4, 57, 1021.1],
    ['2021-05-31 11:00:00', 19.5, 57, 1020.8],
    ['2021-05-31 12:00:00', 17.8, 44, 1020.8],
    ['2021-05-31 13:00:00', 15.6, 51, 1021.2],
    ['2021-05-31 14:00:00', 14.1, 60, 1021.5],
    ['2021-05-31 15:00:00', 14.1, 60, 1021.5],
    ['2021-05-31 16:00:00', 14.9, 60, 1021.1],
    ['2021-05-31 17:00:00', 15.4, 59, 1020.9],
    ['2021-05-31 18:00:00', 15.1, 59, 1020.8],
    ['2021-05-31 19:00:00', 11.4, 63, 1021.1],
    ['2021-05-31 20:00:00', 9.9, 74, 1021.5],
    ['2021-05-31 21:00:00', 7.8, 76, 1021.8],
    ['2021-05-31 22:00:00', 6.8, 88, 1021.8],
    ['2021-05-31 23:00:00', 5.8, 89, 1021.9]  
], columns=['hour', 'temperature', 'humidity', 'air_pressure'])
df['hour'] = pd.to_datetime(df['hour'])
df

Unnamed: 0,hour,temperature,humidity,air_pressure
0,2021-05-31 00:00:00,10.9,54,1022.8
1,2021-05-31 01:00:00,10.4,52,1022.5
2,2021-05-31 02:00:00,9.3,53,1022.0
3,2021-05-31 03:00:00,10.1,60,1021.5
4,2021-05-31 04:00:00,10.1,58,1021.2
5,2021-05-31 05:00:00,11.6,65,1021.1
6,2021-05-31 06:00:00,13.1,65,1020.9
7,2021-05-31 07:00:00,15.2,64,1020.8
8,2021-05-31 08:00:00,16.6,62,1020.9
9,2021-05-31 09:00:00,16.4,55,1021.0


In [42]:
# We will store the data in `df` in the `weather` table in our database.
df.to_sql("weather", conn)

24

In [19]:
conn.close()