Use the proper datatypes when loading our dataset. Knowing datatypes will save space on the database server which in turn provides faster reads and writes. Furthermore, having proper datatypes will ensure that any errors in your data will be caught at insertion and your data can be queried the way you expect.

The type_code field gives a numeric code representing the type of the data inside of the table. Unless one is used to work with Postgres for a long time, it is hard to memorize these codes and to know to which type they correspond. Thankfully, there is a special table in Postgres named pg_catalog.pg_type that contains the information about the data types. We are going to see in this screen how we can get the name of a data type given its type code.

The decimal type works based on two parameters, the precision and the scale. The precision gives the maximum number of digits in total (before and after the decimal point). which is the maximum amount of digits before and/or after the decimal point. The scale specifies the maximum amount of digits after the decimal point. So, for instance, the number 23.5141 has a precision of 6 and a scale of 4. Integers can be considered to have a scale of zero.

Using Postgres, it's better to use the text field for uncertain sizes and varchar(N) for ones you know the maximum length.


Enumerated datatypes are useful in situations where a given column can only contain a predefined set of values<br/>
Equivalent and shorter and more convenient syntax using :: for converting a datatype into another<br>
ALTER TABLE table_name<br>
ALTER COLUMN column_name TYPE enum_type_name<br>
USING column_name::enum_type_name;<br>



# SQL Injections

The ability of a user to be able to execute custom SQL by replacing values by SQL code and have it executed by the database server is known as a **SQL injection**.

If a query is very long and has a lot of placeholders, positional arguments might be hard to read because we have to remember how many %s we have read so far to know to which position of the tuple it corresponds. The cursor.execute() method proposes and alternative way which uses a dictionary rather than a tuple to specify the values. Each placeholder is specified as %(key)s where key specifies a name for the value which is used as the key in the dictionary. Using this, order does not matter anymore, value are matched by keys.

cur.execute("INSERT INTO users VALUES (%(id)s, %(email)s, %(name)s, %(address)s);", {<br>
    'address': '124, Fake Street'<br>
    'name': 'John', <br>
    'id': 1000, <br>
    'email': 'hello@dataquest.io', <br>
})<br>




In [2]:
import psycopg2

In [3]:
conn = psycopg2.connect("dbname=Dataquest user=postgres password=123")

In [4]:
cur = conn.cursor()

In [6]:
cur.execute("SELECT * FROM users LIMIT 5")
cur.fetchall()

[(0,
  'anna.carter@gmail.com',
  'Anna Carter',
  '27183 Craig Shore Suite 886 New Benjamin TN 92858'),
 (1,
  'joseph.kirby@yahoo.com',
  'Joseph Kirby',
  '3594 Fox Ford Apt. 192 West Kristen GA 22838-8977'),
 (2,
  'larry.cain@martinez.net',
  'Larry Cain',
  '58208 Cook Bypass West Benjaminfurt OH 25179'),
 (3,
  'johnathan.soto@yahoo.com',
  'Johnathan Soto',
  '68536 Avery Expressway Amberton PA 95197'),
 (4,
  'paula.acosta@yahoo.com',
  'Paula Acosta',
  '065 Kayla Alley Apt. 098 Walkerview NH 14274')]

In [7]:
conn.close()

In [8]:
def get_email(name):
    import psycopg2
    conn = psycopg2.connect("dbname=Dataquest user=postgres password=123")
    cur = conn.cursor()
    #create the query string using the format function
    query_string = "SELECT email FROM users WHERE name='" + name + "';"
    #execute the query
    cur.execute(query_string)
    res = cur.fetchall()
    conn.close()
    return res


In [9]:
all_emails = get_email("Joseph Kirby' OR 1 = 1; --")

In [10]:
all_emails

[('anna.carter@gmail.com',),
 ('joseph.kirby@yahoo.com',),
 ('larry.cain@martinez.net',),
 ('johnathan.soto@yahoo.com',),
 ('paula.acosta@yahoo.com',),
 ('james.west@lam.com',),
 ('tammy.hodges@nunez.info',),
 ('travis.brown@jones.info',),
 ('troy.baldwin@hotmail.com',),
 ('mrs..amanda@hotmail.com',),
 ('brian.williams@hotmail.com',),
 ('michael.parks@hodges.com',),
 ('john.hernandez@cooper-baker.net',),
 ('monica.jones@olson.org',),
 ('randy.carroll@wolf.info',),
 ('holly.oliver@yahoo.com',),
 ('tracey.love@hotmail.com',),
 ('william.hayes@yahoo.com',),
 ('christopher.ross@mcknight-mcguire.com',),
 ('joshua.dominguez@richardson.com',),
 ('stephanie.ho@gmail.com',),
 ('gary.medina@hotmail.com',),
 ('joann.weaver@yahoo.com',),
 ('dr..robert@gmail.com',),
 ('thomas.williams@hotmail.com',),
 ('ashley.hudson@hotmail.com',),
 ('charles.macdonald@yahoo.com',),
 ('jonathan.haynes@gordon.info',),
 ('megan.moran@johnson.com',),
 ('daniel.holmes@king-scott.com',),
 ('james.torres@bruce-greene.bi

To get address as well use UNION. UNION command we can group together the result of two SQL queries as long as they both result in the same number of columns with matching data types.


In [11]:
name = "Joseph Kirby' UNION SELECT address FROM users WHERE name = 'Joseph Kirby"
address_and_email = get_email(name)
print(address_and_email)

[('3594 Fox Ford Apt. 192 West Kristen GA 22838-8977',), ('joseph.kirby@yahoo.com',)]


Manually formating the query strings from given input parameters can easily open the door for SQL injections where a user is able to execute a custom query by passing it as a parameter.

In [12]:
def get_email_fixed(name):
    import psycopg2
    conn = psycopg2.connect("dbname=dq user=dq")
    cur = conn.cursor()
    # fix the line below
    cur.execute("SELECT email FROM users WHERE name = %s;", (name,))
    res = cur.fetchall()
    conn.close()
    return res

## Prepared Statement
 
We can use the cursor.execute() method from the psycopg2 library in order to help avoid SQL injections. However there is a direct way to do it in SQL using the PREPARE statement to form a prepared statement.

`PREPARE insert_user(integer, text, text, text) AS`<br>
    `INSERT INTO users VALUES ($1, $2, $3, $4);`
    
When we issue this command we create a new statement named insert_user that takes in four arguments. The first argument must be of type integer and the remaining three arguments of type text because there are the types used to represent the fours columns of the users table. The SQL statement that comes after the AS keyword corresponds to the body of the prepared statement. This represents the actual query to be executed whenever we execute the statement insert_user.

You can think of prepared statement of being analogous to Python functions. In the above example, it is like you are defining a function named insert_user that has four arguments. The body of the function in this case has the single line INSERT INTO users VALUES ($1, $2, $3, $4); where $1, $2, $3 and $4 represent the values of the four arguments.

Note that the syntax for placeholders in the PREPARE statement is different from the one used by the cursor.execute() method from the psycopg2 Python module. In this case the placeholders are numbered $1, ..., $4 and the arguments will replace them in the order of the numbers. So the first argument will replace $1, the second $2 and so on.

To execute a prepared statement we use the EXECUTE command as follows:<br>
`EXECUTE insert_user(10002, 'bob@dataquest.io', 'Bob', '101 Fake Street');`

Do not confuse the cursor.execute() method with the EXECUTE SQL command. The cursor.execute() method is a method from the cursor object of the psycopg2 Python module. It is used to issue SQL commands to the Postgres database using Python. On the other hand, the EXECUTE command is a SQL command that is used to run a prepared statement.

In Postgres we can prepare and run a prepared statement as follows:


In [13]:
# import psycopg2
# conn = psycopg2.connect("dbname=dq user=dq")
# cur = conn.cursor()
# cur.execute("""
#     PREPARE insert_user(integer, text, text, text) AS
#         INSERT INTO users VALUES ($1, $2, $3, $4);
# """)
# cur.execute("""
#     EXECUTE insert_user(%s, %s, %s, %s);
# """, (10002, 'bob@dataquest.io', 'Bob', '101 Fake Street'))

Even though prepared statements protect us from SQL injections, we recommend you to pass the values using the execute method as it makes it easier to avoid syntax problems. For instance, the previous problem of having a comma in the address will still cause a error when using prepared statements.

It is important for you to learn prepared statement because they are not specific to Postgres and exist in others SQL servers such as MySQL

When we create a prepared statement in Postgres, it is stored in a table named **pg_prepared_statements**. The prepared statements are local for the current connection meaning that:

1. They will disappear when the connection is closed.
2. Are only visible using the cursor from the connection with which it was created.

From the documentation of prepared statements we see that the this table contains five columns. The columns contain the following information:

1. The name of the prepared statement, in this case insert_user.
* A string containing the prepared statement itself.
* A datetime object giving the time at which it was created.
* The datatypes of the arguments of the prepared statement.
* A boolean value specifying whether or not it was created with a PREPARE command.

This table is mostly useful for you to be able to see the current prepared statements. We believe that in general it is important to learn Postgres internal tables to be able to get a deeper understanding of how it works.

Let's practice one more time with creating a prepared statement and inspect the pg_prepared_statements table to check that it indeed appears there.

In [16]:
conn = psycopg2.connect("dbname=Dataquest user=postgres password=123")

In [17]:
cur = conn.cursor()

In [18]:
cur.execute("""PREPARE get_email(text) AS
                SELECT email FROM users WHERE name = $1;
""")

In [22]:
cur.execute("""EXECUTE get_email(%s);
""",('Anna Carter',))

In [23]:
anna_email = cur.fetchone()

In [24]:
cur.execute("SELECT * FROM pg_prepared_statements;")
print(cur.fetchall())

[('get_email', 'PREPARE get_email(text) AS\n                SELECT email FROM users WHERE name = $1;\n', datetime.datetime(2021, 8, 14, 22, 30, 12, 771073, tzinfo=psycopg2.tz.FixedOffsetTimezone(offset=-240, name=None)), '{text}', True)]


**Prepared statements main purpose is to avoid SQL injections**.<br>
However they can sometimes accelerate queries.<br>
To analyze the speed gained from using prepared statement we performing the same query a lot of times.<br>
When we perform a SQL query, in a high level the following steps occur:<br>

<Img src="https://github.com/rhnyewale/PostgreSQL/blob/main/Images/SQL_query_parsing_rewrite_planning_execution.JPG?raw=true">
    
    
1. The query is parsed for correct syntax

2. If there are no syntax errors, the query is transformed into something that the SQL engine can understand and execute

3. Using the result from step 2 a query plan is created that tries to find the most efficient way to execute the query

4. The plan produced on step 3 is executed on the database
    
In contrast, when we prepare a statement as we did before, steps 1, 2 and 3 are performed at that moment. This means that the query is ready to be executed on the database. This has two major consequences:

1. Whenever we execute a prepared statement, the query plan will already exist so it will be executed directly.
2. Since we don't go over a parsing step anymore, no SQL code passed as a value will ever be interpreted as SQL code thus preventing SQL injections.
    
Let's compare the runtime of inserting all users with and without prepared statements. 
    
`import timeit`<br>
`runtime = timeit.timeit(function_name, number=1)`
    
function_name is the name of the function that we want to time and number is the number of times that we want to execute the function. In general, to get an estimation of the runtime we run the function several times and compute the average runtime

In [None]:
import timeit
import psycopg2
import csv
# function that inserts all users using a prepared statement
def prepared_insert():
    conn = psycopg2.connect("dbname=Dataquest user=postgres password=123")
    cur = conn.cursor()           
    cur.execute("""
        PREPARE insert_user(integer, text, text, text) AS
        INSERT INTO users VALUES ($1, $2, $3, $4)
    """)
    for user in users:
        cur.execute("EXECUTE insert_user(%s, %s, %s, %s)", user)
    conn.close()

# function that insert all users using a new INSERT query for each user
def regular_insert():
    conn = psycopg2.connect("dbname=Dataquest user=postgres password=123")
    cur = conn.cursor()           
    for user in users:
        cur.execute("""
            INSERT INTO users VALUES (%s, %s, %s, %s)
        """, user)
    conn.close()

# read the users into a list
users = [ ]
with open('user_accounts.csv', 'r') as file:
    next(file) # skip csv header
    reader = csv.reader(file)
    for row in reader:
        users.append(row)
# write you code here
time_prepared = timeit.timeit(prepared_insert, number=1)
time_regular = timeit.timeit(regular_insert, number=1)
print(time_prepared)
print(time_regular)