# SQL

Considering CSV file, since columns are separated by commas,  
there might be cases, when data itself contain commas,  
in such cases we would need to use "" quotes to "escape" this problem

consider the example:  
we have created online spreadsheet to analyze popular TV shows  
then we downloaded table if the format of .csv file

our next task is to read this CSV file and remove duplicates

In [None]:
import csv

titles = []

with open("favorites.csv", "r") as file:
    reader = csv.DictReader(file)
    for row in reader:
        title = row["title"].strip() # removes all spaces at the beginning and end of string
        title = title.upper()
        if title not in titles:
            titles.append(title)

for title in titles:
    print(title)

In [None]:
# using set:
title = set()

with open("favorites.csv", "r") as file:
    reader = csv.DictReader(file)
    for row in reader:
        title = row["title"].strip() # removes all spaces at the beginning and end of string
        title = title.upper()
        titles.add(title)

for title in titles:
    print(title)

In [None]:
# sort set:
titles = sorted(titles)

the next task might be to count how many times each TV show title appears in data,  
we can do this using Dictionary, which is similar to Tables:

In [None]:
# using set:
title = {}

with open("favorites.csv", "r") as file:
    reader = csv.DictReader(file)
    for row in reader:
        title = row["title"].strip().upper()
        if not title in titles:
            titles[title] = 0 # initialize key
        titles[title] += 1 # increment counter
        

for title in sorted(titles):
    print(title, titles[title])

sorted function can also sort by values or other parameters defined in function:

In [None]:
def get_value(title):
    return titles[title] # function that simply return value by key

for title in sorter(titles, key=get_value, reverse=True):
    print(title, titles[title])

we can through get_value function away, by using lambda function  
- lambda function in python is essentially function without name, which probably will not we used several times

In [None]:
for title in sorted(titles, key=lambda title: titles[title]):
    print(title, titles[title])

what if we are interested only in "The Office" TV show

In [None]:
counter = 0

with open("favorites.csv", "r") as file:
    reader = csv.DictReader(file)
    for row in reader:
        title = row["title"].strip().upper()
        if title == "THE OFFICE":
            counter += 1
        

print(f"Number of people who likes The Office: {counter}")


but what if we have several rows like "Office" and other with "The Office", how we can count all options together

#### Regular Expressions

Regular Expressions are very useful for cleaning the data

- . - any character
- .* - 0 or more characters
- .+ - 1 or more characters
- ? - optional
- ^ - start of input
- $ - end of input

for example regular expression for email address might look like:  


In [1]:
regular_expression = '''.+@.+\..+ '''

\ .  is "." literally

fix the problem with Offine TV show by using regular expressions:

In [None]:
import csv
import re # regular expressions

counter = 0

with open("favorites.csv") as file:
    reader = csv.DictReader(file)
    for row in reader:
        title = row["title"].strip().upper()
        if re.search("^(OFFICE|THE.OFFICE)", title):
            counter += 1

in the regular expression above, we used several features:
- () encapsulate logical statements
- ^ - beginning of a string
- | - logical OR
- THE.OFFICE - we placed . to check options where people might put some other character instead of space

even though python is powerful language, we still had to write relatively a lot of code

# Relational Database

CRUD: the only things we can do using SQL  
- C - Create (CREATE, INSERT)
- R - Read (SELECT)
- U - Update (UPDATE)
- D - Delete (DELETE, DROP)

Primary Key, Foreign Key

# Indexes

In [None]:
index_statement = '''
CREATE INDEX name ON table (column, ...);
'''

- Is some kind of fancy data structure, that allows database to do better then linear search
- it is like giving database a clue: I know I am gonna search on this table and column a lot, do something with data structures to speed things up
    - may be it is using a tree or try or hash table: some fancier 2D data structure
    - may be tree structure so it is just much faster to find data especially if it is sorting data now
    

- B tree - In world of relational databases, the type of data structure used is B tree

![](./pic/1.png)

- it is not binary, because some nodes might have more than 2 children or fewer
- it is wide and relatively shallow tree, it is now very tall  
- if data is stored in such tree, database can find it more quickly 

SQL has to take some time to create such structure, using some sort of techniques

# JOIN

In [1]:
shows_by_star = '''
select
    id as person_id
from people
where
    name = 'Steve Carell'


select
    show_id
from stars
where
    person_id in (
        select id from people where name = 'Steve Carell'
    )


select
    title
from shows
where
    person_id in (
        select
            show_id
        from stars
        where
            person_id in (
                select id from people where name = 'Steve Carell'
    )
    )
'''

from query above, we see that we are searching by *PEOPLE.name*  
and we are searching by *STARS.person_id*

In [2]:
indexes = '''
CREATE INDEX person_index ON start (person_id);


CREATE INDEX show_index ON stars (show_id);


CREATE INDEX people_index ON people (name);
'''

and if we run our query above, we can see that execution time is reduced significantly

 # SQL injection attack  
 Let us consider case of Login page of University web-site, which uses SQL DB to store data  


what if somebody maliciously put login email in the following form:  
*emal@address.com'--*  
- ' is used for quoting things in SQL
- "--" is used for commenting

Underneath the hood the SQL code might be something like:  


In [5]:
rows = db.execute('''
    SELECT * FROM users
    WHERE username = ? and password = ?
    ''', username, password)

if len(rows) == 1:
    #log user in
    pass

Bad pipe message: %s [b'\xc7"\'aN\xa5\x8fu\x94Q\x9ed\xd21S\xaa\xb8\xbc $^\r\x99\xd0i\x00\x16\xb0r\xb3rQ\xd0\xf2#\xac5\x9f4]\xef\x91+\xba\x1dL\x97\xea\x05+\x0e\x00\x08\x13\x02\x13\x03\x13\x01\x00\xff\x01']
Bad pipe message: %s [b"h\xb8\xe6V>S\r|\xbe\x0c\xf3R\xac&\x04\xafiz\x00\x00|\xc0,\xc00\x00\xa3\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0\xaf\xc0\xad\xc0\xa3\xc0\x9f\xc0]\xc0a\xc0W\xc0S\xc0+\xc0/\x00\xa2\x00\x9e\xc0\xae\xc0\xac\xc0\xa2\xc0\x9e\xc0\\\xc0`\xc0V\xc0R\xc0$\xc0(\x00k\x00j\xc0#\xc0'\x00g\x00@\xc0\n\xc0\x14\x009\x008\xc0\t\xc0\x13\x003\x002\x00\x9d\xc0\xa1\xc0\x9d\xc0Q\x00\x9c\xc0\xa0\xc0\x9c\xc0P\x00=\x00<\x005\x00/\x00\x9a\x00\x99\xc0\x07\xc0\x11\x00\x96\x00\x05\x00\xff\x01\x00\x00j\x00\x00\x00\x0e\x00\x0c\x00\x00\t127.0.0.1\x00\x0b\x00\x04\x03\x00\x01\x02\x00\n\x00\x0c\x00\n\x00\x1d\x00\x17\x00\x1e\x00\x19\x00\x18\x00#\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\r\x000\x00.\x04\x03\x05\x03\x06\x03\x08\x07\x08\x08\x08\t\x08\n\x08\x0b\x08\x04\x08\x05", b'\x04\x01\x05\x01\x06\x01\x

the aim of this code is to check whether there is an account with such username and password, and if there is 1 such account in DB, we let user login

what if though this code is not as well written as it currently is? and for example it is not using ? question mark  
cs50 library defend code with ? from such attacks

if we wrote this code to manually create SQL query, we could do something like this:

In [None]:
#another_approach
rows = db.execute(f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'")

if len(rows) == 1:
    #login

in that case: since we use '' to surround users inputs into our SQL code, we could fail if they have apostrophe in their names

or they if they use ' it can finish our single quote

# Race Conditions

what happens when users try to log in or press some button on the same time?

It can happen at any time when we have shared data:  
for example when users like the same pictures on instagram, software needs to go to database and update records

In [None]:
rows = db.execute("SELECT likes FROM posts WHERE id = ?", id)
likes = rows[0]["likes"]
db.execute("UPDATE posts SET likes = ? WHERE id = ?", likes + 1, id)

- Atomic code - code that is either executed all or not executed at all

the code above is not atomic - it is executed line by line  


solutions:
- locks
- transactions:

In [None]:
db.execute("BEGIN TRANSACTION")
rows = db.execute("SELECT likes FROM posts WHERE id = ?", id)
likes = rows[0]["likes"]
db.execute("UPDATE posts SET likes = ? WHERE id = ?", likes+1, id)
db.execute("COMMIT") # commit transaction