In [1]:
import pandas as pd

# Datasets

In [2]:
movies = pd.read_csv('data/movies.csv')
movie_info = pd.read_csv('data/movie_info.csv')
buildings = pd.read_csv('data/buildings.csv')
employees = pd.read_csv('data/employees.csv')
cities = pd.read_csv('data/cities.csv')

In [3]:
movies

Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,2,A Bug's Life,John Lasseter,1998,95
2,3,Toy Story 2,John Lasseter,1999,93
3,4,"Monsters, Inc.",Pete Docter,2001,92
4,5,Finding Nemo,Andrew Stanton,2003,107
5,6,The Incredibles,Brad Bird,2004,116
6,7,Cars,John Lasseter,2006,117
7,8,Ratatouille,Brad Bird,2007,115
8,9,WALL-E,Andrew Stanton,2008,104
9,10,Up,Pete Docter,2009,101


# Connect to database

## We'll use an API (Application Programming Interface) to connect to our database.

SQLAlchemy is the Python SQL toolkit and Object Relational Mapper that gives application developers the full power and flexibility of SQL.

In [4]:
!pip install SQLAlchemy



In [5]:
!pip install psycopg2



In [6]:
import sqlalchemy as db


To connect to a database you will usually pass something called `connection string` or `database url` For sqlalchemy it consists of:
- **DB server name** (`mysql`, `postgresql`, `mongodb`) --> official name: _dialect_ 
- **[+driver]** --> Optional driver name, the name of the API to connect with the DB (`psycopg2`, `pyodbc`) 
- ://**username:password** --> password you set up when created database on pgadmin4 for instance
- @**hostname** --> when running locally (`localhost` or `127.0.0.1`), in practice a url provided by the admin.
- /**database name** name of the specific database database you're connecting to (`review`)

In [7]:
db.create_engine

<function sqlalchemy.engine.create_engine(*args, **kwargs)>

In [8]:
import sqlalchemy as db

# create the engine
engine = db.create_engine('postgresql+psycopg2://postgres:123@localhost/aula_conexao')
# connection

# localhost = 127.0.0.1

# open the connection
conn = engine.connect()

In [9]:
db_server = 'postgresql'
user = 'postgres'
password = '123'
ip = 'localhost'
db_name = 'applestore'

# create the engine
engine2 = db.create_engine(f'{db_server}://{user}:{password}@{ip}/{db_name}')

# open the connection
conn2 = engine2.connect()

# CREATING TABLE via python

The pandas module has built-in functionalities that handles that for you ♥️

In [10]:
employees.head(2)

Unnamed: 0,role,name,years_employed,building
0,Engineer,Becky A.,4,Burj Khalifa
1,Engineer,Dan B.,2,Burj Khalifa


In [11]:
employees.to_sql('employees', con=conn, if_exists='replace', index=True)

## READING TABLE via python

In [12]:
df = pd.read_sql('SELECT * FROM data;', con=conn2)
df.columns

Index(['id', 'track_name', 'size_bytes', 'currency', 'price',
       'rating_count_tot', 'rating_count_ver', 'user_rating',
       'user_rating_ver', 'ver', 'cont_rating', 'prime_genre',
       'sup_devices.num', 'ipadSc_urls.num', 'lang.num', 'vpp_lic'],
      dtype='object')

## You can read a table directly 

In [13]:
pd.read_sql_table('employees', con=conn2)

Unnamed: 0,role,name,years_employed,building
0,Engineer,Becky A.,4,Burj Khalifa
1,Engineer,Dan B.,2,Burj Khalifa
2,Engineer,Sharon F.,6,Burj Khalifa
3,Engineer,Dan M.,4,Burj Khalifa
4,Engineer,Malcom S.,1,Burj Khalifa
5,Artist,Tylar S.,2,Empire State
6,Artist,Sherman D.,8,Empire State
7,Artist,Jakob J.,6,Empire State
8,Artist,Lillia A.,7,Empire State
9,Artist,Brandon J.,7,Empire State


In [14]:
# pd.read_sql('employees', con=conn) or pd.read_sql('SELECT * FROM employees;', con=conn)

# Inserting all tables into database:

In [15]:
movies.to_sql('movies', conn, if_exists='replace', index=False)

employees.to_sql('employees', conn, if_exists='replace', index=False)

cities.to_sql('cities', conn, if_exists='replace', index=False)

movie_info.to_sql('movie_info', conn, if_exists='replace', index=False)

buildings.to_sql('buildings', conn, if_exists='replace', index=False)

## Let's check that

In [16]:
query = '''
SELECT  id, 
        title, 
        director, 
        year, 
        length_minutes
  FROM movies
 LIMIT 10
 '''

In [17]:
pd.read_sql(query, con=conn)

Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,2,A Bug's Life,John Lasseter,1998,95
2,3,Toy Story 2,John Lasseter,1999,93
3,4,"Monsters, Inc.",Pete Docter,2001,92
4,5,Finding Nemo,Andrew Stanton,2003,107
5,6,The Incredibles,Brad Bird,2004,116
6,7,Cars,John Lasseter,2006,117
7,8,Ratatouille,Brad Bird,2007,115
8,9,WALL-E,Andrew Stanton,2008,104
9,10,Up,Pete Docter,2009,101


In [18]:
from IPython.display import display, Markdown

def pprint(query):
    display(Markdown(f'''```mysql 
    {query}```'''))

In [19]:
pprint('''SELECT * FROM bla''')

```mysql 
    SELECT * FROM bla```

In [20]:
pprint(query)

```mysql 
    
SELECT  id, 
        title, 
        director, 
        year, 
        length_minutes
  FROM movies
 LIMIT 10
 ```

# Two connections

In [22]:
import sqlalchemy as db

# create the engine
engine2 = db.create_engine('postgresql+psycopg2://postgres:123@localhost/applestore')

# localhost = 127.0.0.1

# open the connection
conn2 = engine2.connect()

In [23]:
pd.read_sql('SELECT * FROM data', con=conn2)

Unnamed: 0,id,track_name,size_bytes,currency,price,rating_count_tot,rating_count_ver,user_rating,user_rating_ver,ver,cont_rating,prime_genre,sup_devices.num,ipadSc_urls.num,lang.num,vpp_lic
0,281656475,PAC-MAN Premium,100788224,USD,3.99,21292,26,4.0,4.5,6.3.5,4+,Games,38,5,10,1
1,281796108,Evernote - stay organized,158578688,USD,0.00,161065,26,4.0,3.5,8.2.2,4+,Productivity,37,5,23,1
2,281940292,"WeatherBug - Local Weather, Radar, Maps, Alerts",100524032,USD,0.00,188583,2822,3.5,4.5,5.0.0,4+,Weather,37,5,3,1
3,282614216,"eBay: Best App to Buy, Sell, Save! Online Shop...",128512000,USD,0.00,262241,649,4.0,4.5,5.10.0,12+,Shopping,37,5,9,1
4,282935706,Bible,92774400,USD,0.00,985920,5320,4.5,5.0,7.5.1,4+,Reference,37,5,45,1
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
7192,1187617475,Kubik,126644224,USD,0.00,142,75,4.5,4.5,1.3,4+,Games,38,5,1,1
7193,1187682390,VR Roller-Coaster,120760320,USD,0.00,30,30,4.5,4.5,0.9,4+,Games,38,0,1,1
7194,1187779532,Bret Michaels Emojis + Lyric Keyboard,111322112,USD,1.99,15,0,4.5,0.0,1.0.2,9+,Utilities,37,1,1,1
7195,1187838770,VR Roller Coaster World - Virtual Reality,97235968,USD,0.00,85,32,4.5,4.5,1.0.15,12+,Games,38,0,2,1


# SQL mini-challenges.

-----------

# SELECT queries

For the `movies` table:

In [26]:
# select one column
query = '''
SELECT title 
  FROM movies;
'''
pprint(query)

pd.read_sql(query, con=conn)

```mysql 
    
SELECT title 
  FROM movies;
```

Unnamed: 0,title
0,Toy Story
1,A Bug's Life
2,Toy Story 2
3,"Monsters, Inc."
4,Finding Nemo
5,The Incredibles
6,Cars
7,Ratatouille
8,WALL-E
9,Up


In [27]:
# select two columns

query = '''
SELECT title, 
       director 
  FROM movies'''

pprint(query)
pd.read_sql(query, con=conn)

```mysql 
    
SELECT title, 
       director 
  FROM movies```

Unnamed: 0,title,director
0,Toy Story,John Lasseter
1,A Bug's Life,John Lasseter
2,Toy Story 2,John Lasseter
3,"Monsters, Inc.",Pete Docter
4,Finding Nemo,Andrew Stanton
5,The Incredibles,Brad Bird
6,Cars,John Lasseter
7,Ratatouille,Brad Bird
8,WALL-E,Andrew Stanton
9,Up,Pete Docter


In [28]:
# select all columns

query = 'SELECT * FROM movies'
pprint(query)
pd.read_sql(query, con=conn)

```mysql 
    SELECT * FROM movies```

Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,2,A Bug's Life,John Lasseter,1998,95
2,3,Toy Story 2,John Lasseter,1999,93
3,4,"Monsters, Inc.",Pete Docter,2001,92
4,5,Finding Nemo,Andrew Stanton,2003,107
5,6,The Incredibles,Brad Bird,2004,116
6,7,Cars,John Lasseter,2006,117
7,8,Ratatouille,Brad Bird,2007,115
8,9,WALL-E,Andrew Stanton,2008,104
9,10,Up,Pete Docter,2009,101


# WHERE clause - filters

1. Find the movie with a row id of 6 and 3
2. Find the movies released in the years between 2000 and 2010
3. Find the movies not released in the years between 2000 and 2010
4. Find the last 5 Pixar movies and their release year

In [30]:
# select rows whose id = 6 or 3

query = '''
SELECT * FROM movies
WHERE id =6 OR id =3
'''

pprint(query)

pd.read_sql(query, conn)


```mysql 
    
SELECT * FROM movies
WHERE id =6 OR id =3
```

Unnamed: 0,id,title,director,year,length_minutes
0,3,Toy Story 2,John Lasseter,1999,93
1,6,The Incredibles,Brad Bird,2004,116


In [35]:
# using the IN syntax

my_tuple = (3,6)
selected_columns = 'title, director, year, length_minutes'
query =f'''
SELECT {selected_columns} FROM movies
WHERE id IN {my_tuple}  
'''

pprint(query)

pd.read_sql(query, conn)


```mysql 
    
SELECT title, director, year, length_minutes FROM movies
WHERE id IN (3, 6)  
```

Unnamed: 0,title,director,year,length_minutes
0,Toy Story 2,John Lasseter,1999,93
1,The Incredibles,Brad Bird,2004,116


In [None]:
# this is a tuple, you could use a python variable to do the same:

query = f'''
'''

pprint(query)

pd.read_sql(query, conn)


In [36]:
# between syntax: find movies between 2001 and 2010
query = '''
SELECT * FROM movies WHERE year BETWEEN 2001 AND 2010
'''

pd.read_sql(query, con=conn)

Unnamed: 0,id,title,director,year,length_minutes
0,4,"Monsters, Inc.",Pete Docter,2001,92
1,5,Finding Nemo,Andrew Stanton,2003,107
2,6,The Incredibles,Brad Bird,2004,116
3,7,Cars,John Lasseter,2006,117
4,8,Ratatouille,Brad Bird,2007,115
5,9,WALL-E,Andrew Stanton,2008,104
6,10,Up,Pete Docter,2009,101
7,11,Toy Story 3,Lee Unkrich,2010,103


In [37]:
# NOT between also works
query = '''
SELECT * FROM movies WHERE year NOT BETWEEN 2001 AND 2010
'''
pd.read_sql(query, con=conn)

Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,2,A Bug's Life,John Lasseter,1998,95
2,3,Toy Story 2,John Lasseter,1999,93
3,12,Cars 2,John Lasseter,2011,120
4,13,Brave,Brenda Chapman,2012,102
5,14,Monsters University,Dan Scanlon,2013,110
6,87,WALL-G,Brenda Chapman,2042,97


In [38]:
query = '''
SELECT * 
  FROM movies
 ORDER BY year DESC
 LIMIT 5;
'''

pd.read_sql(query, con=conn)

Unnamed: 0,id,title,director,year,length_minutes
0,87,WALL-G,Brenda Chapman,2042,97
1,14,Monsters University,Dan Scanlon,2013,110
2,13,Brave,Brenda Chapman,2012,102
3,12,Cars 2,John Lasseter,2011,120
4,11,Toy Story 3,Lee Unkrich,2010,103


# LIKE clause, % and _

1. Find all the Toy Story movies
2. Find all the movies directed by John Lasseter
3. Find all the movies (and director) not directed by someone named John
4. Find all the WALL-* movies

In [39]:
# this is how it would work in pgAdmin
query = """
SELECT * 
  FROM movies 
 WHERE title LIKE 'Toy %'
 """
pd.read_sql(query, conn)


TypeError: 'dict' object does not support indexing

In [40]:
# but in python, you have to escape the % with another %.
query = "SELECT * FROM movies WHERE title LIKE 'Toy %%'" 
pd.read_sql(query, conn)

# query = db.text("SELECT * FROM movies WHERE title LIKE 'Toy %'") # also works

# pd.read_sql(query, conn)



Unnamed: 0,id,title,director,year,length_minutes
0,1,Toy Story,John Lasseter,1995,81
1,3,Toy Story 2,John Lasseter,1999,93
2,11,Toy Story 3,Lee Unkrich,2010,103


# Regex PostgreSQL ~

In [None]:
query = "SELECT * FROM movies WHERE title ~ 'Toy [Ss]tory \d'"

pd.read_sql(query, conn)

In [None]:
# 3
# Find all the movies (and director) not directed by John's

query = '''
SELECT title, director
 FROM movies 
WHERE director NOT LIKE 'John %%'
'''

pprint(query)

pd.read_sql(query, conn)

In [None]:

# using the like syntax
query = "SELECT * FROM movies WHERE title LIKE 'WALL-_'"

pd.read_sql(query, conn)

In [None]:
# using regex
query = "SELECT * FROM movies WHERE title ~ 'WALL-\w'"

pd.read_sql(query, conn)

# ORDER BY clause, DISTINCT, OFFSET

1. List all directors of Pixar movies (alphabetically), **without duplicates**
2. List the last four Pixar movies released (ordered from most recent to least)
3. List the first five Pixar movies sorted alphabetically
4. List the next five Pixar movies sorted alphabetically

In [None]:
# using SQL syntax
query = '''
'''

pd.read_sql(query, con=conn)

In [None]:
# using python to remove duplicates

pd.read_sql(query, con=conn)

In [None]:
def read_sql(query, con=conn):
    pprint(query)
    return pd.read_sql(query, con=conn)
    

In [None]:
read_sql('SELECT * FROM movies;')

-------------

# JOINS - Inner joins

From tables `movies` and `movie_info`

1. Find the domestic and international sales for each movie
2. Show the sales numbers for each movie that did better internationally rather than domestically
3. List all the movies by their ratings in descending order

From table `buildings` and `employees`

1. Find the list of all buildings that have employees
2. Find the list of all buildings and their height
3. List all buildings and the distinct employee roles in each building (including empty buildings)
4. Find the name and role of all employees who have not been assigned to a building
5. Find the names of the buildings that hold no employees

In [None]:
pd.read_sql('movie_info', con=conn)

In [None]:
#employees
query = '''
SELECT A.*,
       B.*
  FROM employees AS A
       LEFT JOIN
       buildings AS B
    ON A.building = B." building_name"
 WHERE A.building IS NULL
'''

pd.read_sql(query, con=conn)


# Performing calculations inside queries

From tables `movies` and `movie_info`: 

0. Create a variable called fl_post_millenium which results in 1 if the year is <= 2000 else 0
1. List all movies and their combined sales in millions of dollars
2. List all movies and their ratings in percent
3. List all movies that were released on even number years

# Group by's and aggregations - MAX, AVG, SUM

From tables `employees` and `buildings`

1. Find the longest time that an employee has been at the Empire State
2. For each role, find the average number of years employed by employees in that role
3. Find the total number of years worked in each building

In [None]:
# 1
query = '''
SELECT * FROM  employees WHERE years_employed = (SELECT MAX(years_employed) FROM employees)
'''

pd.read_sql(query, con=conn)


In [None]:
query = '''
SELECT role,
       AVG(years_employed) AS avg_years,
       SUM(years_employed) AS sum_years
  FROM employees
 GROUP BY role
'''

pd.read_sql(query, con=conn)


In [None]:
employees.groupby(by='role').agg(['mean','max'])

In [None]:
employees

In [None]:
# named aggregation
employees.groupby(by='role').agg(avg_years=('years_employed', 'mean'),
                                 max_years=('years_employed', 'max')).reset_index()

# DROP AND CREATE TABLE

In [None]:
conn.execute('DROP TABLE employees;')

In [None]:
conn.closed

In [None]:
conn.close()

# ❌ DANGER ❌


In [None]:
df = pd.DataFrame(data=[('andre','admin'), 
                        ('matheus','qwerty'),
                        ('marcus','1234567890'), 
                        ('duane','0987654321')], 
                  columns=['username', 'password'])

In [None]:
df

In [None]:
df.to_sql('user_info', con=conn, if_exists='replace', index=False)

In [None]:
pd.read_sql('SELECT * FROM user_info', con=conn)

In [None]:
query = '''
SELECT * FROM user_info WHERE username = 'andre' AND password = 'admin'
'''

In [None]:
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
def check_access(username, password):
    '''
    This function returns True if you find someone in the `user_info` database by
    matching correct `username` and `password`
    '''
    
    # try to find a row with that username and password on the database
    
    # if the lenght of the result is greater than 0, it means you've found, then return True
    
    # else return False.

In [None]:
check_access("andre", "admin")

# SQL Injection


0. Search for vulnerabilities.
> `inurl:index.php?id=1`

1. Enter the website 

2. Check if it is vulnerable to SQL-injection 
> plug a backtick (`) at the end of the id=1 query

> https://security.stackexchange.com/questions/121204/dumping-custom-query-via-sql-injection-when-output-is-in-the-die-function

**Important Note**: SQL injection is not legal. Train elsewhere https://ringzer0ctf.com/