In [None]:
%pip install pymysql sqlalchemy mysql-connector-python pandas numpy

In [3]:
import pandas as pd
import mysql.connector
from sqlalchemy import create_engine

In [4]:
# Connect to the sakila database using SQLAlchemy (recommended for pandas)
engine = create_engine('mysql+pymysql://mdsGlobalUser:mds$uper$ecurePassword123@mdsmysql.sci.pitt.edu/sakila')

# Also create mysql.connector connection for direct cursor operations
con = mysql.connector.connect(host='mdsmysql.sci.pitt.edu',
                             user='mdsGlobalUser',
                             password='mds$uper$ecurePassword123',
                             db='sakila')

### Selecting results into a Pandas dataframe

In [5]:
qry = "SELECT * FROM film;"
films = pd.read_sql(qry, con=engine)
films.head()

Unnamed: 0,film_id,title,description,release_year,language_id,original_language_id,rental_duration,rental_rate,length,replacement_cost,rating,special_features,last_update
0,1,ACADEMY DINOSAUR,A Epic Drama of a Feminist And a Mad Scientist...,2006,1,,6,0.99,86,20.99,PG,"Deleted Scenes,Behind the Scenes",2006-02-15 05:03:42
1,2,ACE GOLDFINGER,A Astounding Epistle of a Database Administrat...,2006,1,,3,4.99,48,12.99,G,"Trailers,Deleted Scenes",2006-02-15 05:03:42
2,3,ADAPTATION HOLES,A Astounding Reflection of a Lumberjack And a ...,2006,1,,7,2.99,50,18.99,NC-17,"Trailers,Deleted Scenes",2006-02-15 05:03:42
3,4,AFFAIR PREJUDICE,A Fanciful Documentary of a Frisbee And a Lumb...,2006,1,,5,2.99,117,26.99,G,"Commentaries,Behind the Scenes",2006-02-15 05:03:42
4,5,AFRICAN EGG,A Fast-Paced Documentary of a Pastry Chef And ...,2006,1,,6,2.99,130,22.99,G,Deleted Scenes,2006-02-15 05:03:42


## Parameterized queries ## 

**Parameterized queries** in pymysql (and other database libraries) are a way of executing SQL statements where the data values are kept separate from the SQL command itself. Instead of inserting data directly into the SQL string using Python string formatting or concatenation, parameterized queries use placeholders (%s in pymysql) that are safely replaced with actual values by the database driver. This method allows developers to pass query parameters separately from the SQL structure, which has significant security and reliability benefits.

The primary reason to use parameterized queries is to prevent SQL injection attacks. **SQL injection** is a type of vulnerability where an attacker can manipulate an application's SQL queries by injecting malicious code into user inputs. For example, if a developer writes a query using string interpolation like this:

For example, the following code is vulnerable to SQL injections:

* username = input("Enter username: ")
* query = f"SELECT * FROM users WHERE username = '{username}'"
* cursor.execute(query)

An attacker could enter a string like admin' OR '1'='1, which would transform the SQL into SELECT * FROM users WHERE username = 'admin' OR '1'='1', allowing access to unauthorized data. With parameterized queries, the input is never interpreted as part of the SQL logic:

The following code is safe from SQL injections:

* query = "SELECT * FROM users WHERE username = %s"
* cursor.execute(query, (username,))

In this version, pymysql ensures that the value of username is properly escaped and quoted, treating it as data rather than executable SQL code. This neutralizes any special characters or SQL keywords that might be in the input, making the query safe regardless of the user's input.

Beyond security, parameterized queries also improve code readability and maintainability. They make it easier to construct dynamic queries with variable input, reduce the risk of syntax errors, and encourage consistent practices when working with databases. They also help avoid issues related to character encoding, type conversion, and special character handling (such as quotes or backslashes in strings).


### Selecting filtered and parametrized results into a Pandas dataframe

In [6]:
query = "SELECT * FROM film WHERE title = %s;"
params = ('ALIEN CENTER',)
films = pd.read_sql(query, con=engine, params=params)
films.head()

Unnamed: 0,film_id,title,description,release_year,language_id,original_language_id,rental_duration,rental_rate,length,replacement_cost,rating,special_features,last_update
0,15,ALIEN CENTER,A Brilliant Drama of a Cat And a Mad Scientist...,2006,1,,5,2.99,46,10.99,NC-17,"Trailers,Commentaries,Behind the Scenes",2006-02-15 05:03:42


### Insert a row with PyMySQL

In [None]:
query = "INSERT INTO actor(first_name,last_name,last_update) "
query += "VALUES (%s,%s,NOW());"

con.cursor().execute(query, ('Jane', 'Smith')) 
con.commit()

### Update a MySQL table with PyMySQL

In [8]:
query = "UPDATE actor SET first_name = %s WHERE last_name = %s"
con.cursor().execute(query, ('Jennifer', 'Smith')) 
con.commit()

### Delete from a MySQL table with PyMySQL

In [9]:
query = "DELETE FROM actor WHERE last_name = %s"
con.cursor().execute(query, ('Smith',)) 
con.commit()