# Psycopg – wykonywanie SQL w Pythonie

Biblioteka służąca do wykonywania kodu SQL na bazie danych z poziomu Pythona. Jest przystosowana wyłącznie do pracy z systemem PostgreSQL. Inne systemy mają swoje odpowiedniki, np.:

- [MySQL](https://pypi.org/project/mysql-connector-python/)
- [Oracle](https://pypi.org/project/oracledb/)


Najnowsza wersja ma numer 3 ([PyPI](https://pypi.org/project/psycopg/)) chociaż cały czas popularna jest wersja 2 ([PyPI](https://pypi.org/project/psycopg2/)).

In [None]:
import psycopg

In [None]:
conn = psycopg.connect(dbname="postgres", user="postgres", password="postgres", host="localhost")
cursor = conn.cursor()

## Zapytania SQL

### CREATE

In [None]:
create_query = """CREATE TABLE tasks(
    id SERIAL,
    description TEXT,
    priority SMALLINT,
    is_completed BOOLEAN
)
"""

In [None]:
cursor.execute(create_query)
conn.commit()

In [None]:
create_query = """CREATE TABLE users(
    id SERIAL,
    username VARCHAR(16),
    password VARCHAR(36),
    is_admin BOOLEAN
)
"""

In [None]:
cursor.execute(create_query)
conn.commit()

### INSERT

In [None]:
insert_query = "INSERT INTO tasks(description, priority, is_completed) VALUES('Opis zadania', 2, true)"

In [None]:
cursor.execute(insert_query)
conn.commit()

#### Klauzula `RETURNING`

In [None]:
insert_query = """INSERT INTO tasks (description, priority, is_completed)
                  VALUES ('Zrobić obiad', 3, false)  RETURNING *"""

In [None]:
cursor.execute(insert_query)
record = cursor.fetchone()
record

In [None]:
conn.commit()

### SELECT

In [None]:
select_query = "SELECT * FROM tasks"

In [None]:
cursor.execute(select_query)
results = cursor.fetchall()

In [None]:
results

**Wiersze jako słowniki**

In [None]:
cursor = conn.cursor(row_factory=psycopg.rows.dict_row)

In [None]:
cursor.execute(select_query)
results = cursor.fetchall()
results

In [None]:
cursor = conn.cursor()

### UPDATE

In [None]:
update_query = """UPDATE tasks SET description='Nauczyć się SQLa'
                  WHERE id=1 RETURNING *"""

In [None]:
cursor.execute(update_query)
record = cursor.fetchone()
record

In [None]:
conn.commit()

### DELETE

In [None]:
delete_query = "DELETE FROM tasks WHERE id=2;"
cursor.execute(delete_query)
conn.commit()

### DROP

In [None]:
drop_query = "DROP TABLE users;"

cursor.execute(drop_query)
conn.commit()

## Template'y zapytań i zapobieganie SQL injection 

In [None]:
id_number = '1'

query = f"UPDATE tasks SET priority = 3 WHERE id = {id_number}"
query

In [None]:
cursor.execute(query)
conn.commit()

---

In [None]:
# przygotowanie tabeli do usunięcia

create_query = "CREATE TABLE test();"
cursor.execute(create_query)
conn.commit()

SQL injection:

In [None]:
id_number = '1;  DROP TABLE test;'


query = f"UPDATE tasks SET priority = 4 WHERE id = {id_number}"
query

In [None]:
cursor.execute(query)
conn.commit()

---

In [None]:
id_number = '1'

query = "UPDATE tasks SET priority = 5 WHERE id = %s"

cursor.execute(query, (id_number,))
conn.commit()

Gdybyśmy chcieli zobaczyć podgląd takiego zapytania, możemy zrobić to korzystając z następującego feature'a pythonowych stringów:

In [None]:
query % (id_number,)

---

In [None]:
# create_query = "CREATE TABLE test();"
# cursor.execute(create_query)
# conn.commit()

In [None]:
id_number = '1; DROP TABLE test;'

query = "UPDATE tasks SET priority = 6 WHERE id = %s"

cursor.execute(query, (id_number,))

In [None]:
conn.rollback()

> **ZADANIA**

In [None]:
cursor.close()
conn.close()