# SQLAlchemy

### Installation

In [None]:
%pip install sqlalchemy

### What is ORM and Why we should use sqlalchemy?

![](https://quera.org/qbox/view/HMqzgXgKZJ/ORM.png)

### Check version

In [5]:
import sqlalchemy

sqlalchemy.__version__

'2.0.19'

### Create a connection to database

In [21]:
import sqlalchemy as db


engine = db.create_engine('mysql+pymysql://root:964125032Omid@localhost/classicmodels')
conn = engine.connect()

------------

### Creating tables

In [85]:
from typing import List
from typing import Optional
from sqlalchemy import ForeignKey
from sqlalchemy import String
from sqlalchemy.orm import DeclarativeBase
from sqlalchemy.orm import Mapped
from sqlalchemy.orm import mapped_column
from sqlalchemy.orm import relationship

class Base(DeclarativeBase):
    pass

class User(Base):
    __tablename__ = "user_account"
    id: Mapped[int] = mapped_column(primary_key=True)
    name: Mapped[str] = mapped_column(String(30))
    fullname: Mapped[Optional[str]]
    addresses: Mapped[List["Address"]] = relationship(
        back_populates="user", cascade="all, delete-orphan"
    )
    def __repr__(self) -> str:
        return f"User(id={self.id!r}, name={self.name!r}, fullname={self.fullname!r})"

class Address(Base):
    __tablename__ = "address"
    id: Mapped[int] = mapped_column(primary_key=True)
    email_address: Mapped[str]
    user_id: Mapped[int] = mapped_column(ForeignKey("user_account.id"))
    user: Mapped["User"] = relationship(back_populates="addresses")
    def __repr__(self) -> str:
        return f"Address(id={self.id!r}, email_address={self.email_address!r})"

### creating an engine

In [86]:
from sqlalchemy import create_engine
engine = create_engine("sqlite://", echo=True)

### commit our queries to create the tables

In [87]:
Base.metadata.create_all(engine)

2023-10-09 09:03:08,544 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2023-10-09 09:03:08,545 INFO sqlalchemy.engine.Engine PRAGMA main.table_info("user_account")
2023-10-09 09:03:08,546 INFO sqlalchemy.engine.Engine [raw sql] ()
2023-10-09 09:03:08,547 INFO sqlalchemy.engine.Engine PRAGMA temp.table_info("user_account")
2023-10-09 09:03:08,548 INFO sqlalchemy.engine.Engine [raw sql] ()
2023-10-09 09:03:08,550 INFO sqlalchemy.engine.Engine PRAGMA main.table_info("address")
2023-10-09 09:03:08,551 INFO sqlalchemy.engine.Engine [raw sql] ()
2023-10-09 09:03:08,552 INFO sqlalchemy.engine.Engine PRAGMA temp.table_info("address")
2023-10-09 09:03:08,553 INFO sqlalchemy.engine.Engine [raw sql] ()
2023-10-09 09:03:08,555 INFO sqlalchemy.engine.Engine 
CREATE TABLE user_account (
	id INTEGER NOT NULL, 
	name VARCHAR(30) NOT NULL, 
	fullname VARCHAR, 
	PRIMARY KEY (id)
)


2023-10-09 09:03:08,556 INFO sqlalchemy.engine.Engine [no key 0.00118s] ()
2023-10-09 09:03:08,559 INFO sqlalchemy.engine.

### Insert record

In [88]:
from sqlalchemy.orm import Session

with Session(engine) as session:
    spongebob = User(
        name="spongebob",
        fullname="Spongebob Squarepants",
        addresses=[Address(email_address="spongebob@sqlalchemy.org")],
    )
    sandy = User(
        name="sandy",
        fullname="Sandy Cheeks",
        addresses=[
            Address(email_address="sandy@sqlalchemy.org"),
            Address(email_address="sandy@squirrelpower.org"),
        ],
    )
    patrick = User(name="patrick", fullname="Patrick Star")
    session.add_all([spongebob, sandy, patrick])
    session.commit()

2023-10-09 09:03:26,247 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2023-10-09 09:03:26,250 INFO sqlalchemy.engine.Engine INSERT INTO user_account (name, fullname) VALUES (?, ?) RETURNING id
2023-10-09 09:03:26,251 INFO sqlalchemy.engine.Engine [generated in 0.00011s (insertmanyvalues) 1/3 (ordered; batch not supported)] ('spongebob', 'Spongebob Squarepants')
2023-10-09 09:03:26,252 INFO sqlalchemy.engine.Engine INSERT INTO user_account (name, fullname) VALUES (?, ?) RETURNING id
2023-10-09 09:03:26,257 INFO sqlalchemy.engine.Engine [insertmanyvalues 2/3 (ordered; batch not supported)] ('sandy', 'Sandy Cheeks')
2023-10-09 09:03:26,258 INFO sqlalchemy.engine.Engine INSERT INTO user_account (name, fullname) VALUES (?, ?) RETURNING id
2023-10-09 09:03:26,259 INFO sqlalchemy.engine.Engine [insertmanyvalues 3/3 (ordered; batch not supported)] ('patrick', 'Patrick Star')
2023-10-09 09:03:26,261 INFO sqlalchemy.engine.Engine INSERT INTO address (email_address, user_id) VALUES (?, ?) RETURN

### Selecting data

In [94]:
from sqlalchemy import select

session = Session(engine)

stmt = select(User).where(User.name.in_(["spongebob", "sandy"]))

for user in session.scalars(stmt):
    print(user)

2023-10-09 09:06:14,779 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2023-10-09 09:06:14,780 INFO sqlalchemy.engine.Engine SELECT user_account.id, user_account.name, user_account.fullname 
FROM user_account 
WHERE user_account.name IN (?, ?)
2023-10-09 09:06:14,781 INFO sqlalchemy.engine.Engine [cached since 160.6s ago] ('spongebob', 'sandy')
User(id=1, name='spongebob', fullname='Spongebob Squarepants')
User(id=2, name='sandy', fullname='Sandy Cheeks')


In [90]:
stmt = (
    select(Address)
    .join(Address.user)
    .where(User.name == "sandy")
    .where(Address.email_address == "sandy@sqlalchemy.org")
)
sandy_address = session.scalars(stmt).one()
sandy_address

2023-10-09 09:03:49,493 INFO sqlalchemy.engine.Engine SELECT address.id, address.email_address, address.user_id 
FROM address JOIN user_account ON user_account.id = address.user_id 
WHERE user_account.name = ? AND address.email_address = ?
2023-10-09 09:03:49,495 INFO sqlalchemy.engine.Engine [generated in 0.00154s] ('sandy', 'sandy@sqlalchemy.org')


Address(id=2, email_address='sandy@sqlalchemy.org')

### Replacing

In [91]:
stmt = select(User).where(User.name == "patrick")
patrick = session.scalars(stmt).one()
patrick.addresses.append(Address(email_address="patrickstar@sqlalchemy.org"))
sandy_address.email_address = "sandy_cheeks@sqlalchemy.org"

session.commit()

2023-10-09 09:04:09,138 INFO sqlalchemy.engine.Engine SELECT user_account.id, user_account.name, user_account.fullname 
FROM user_account 
WHERE user_account.name = ?
2023-10-09 09:04:09,139 INFO sqlalchemy.engine.Engine [generated in 0.00128s] ('patrick',)
2023-10-09 09:04:09,143 INFO sqlalchemy.engine.Engine SELECT address.id AS address_id, address.email_address AS address_email_address, address.user_id AS address_user_id 
FROM address 
WHERE ? = address.user_id
2023-10-09 09:04:09,145 INFO sqlalchemy.engine.Engine [generated in 0.00109s] (3,)
2023-10-09 09:04:09,148 INFO sqlalchemy.engine.Engine UPDATE address SET email_address=? WHERE address.id = ?
2023-10-09 09:04:09,149 INFO sqlalchemy.engine.Engine [generated in 0.00121s] ('sandy_cheeks@sqlalchemy.org', 2)
2023-10-09 09:04:09,153 INFO sqlalchemy.engine.Engine INSERT INTO address (email_address, user_id) VALUES (?, ?)
2023-10-09 09:04:09,154 INFO sqlalchemy.engine.Engine [generated in 0.00152s] ('patrickstar@sqlalchemy.org', 3)


### Deleting

In [92]:
sandy = session.get(User, 2)
sandy.addresses.remove(sandy_address)

2023-10-09 09:04:28,786 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2023-10-09 09:04:28,788 INFO sqlalchemy.engine.Engine SELECT user_account.id AS user_account_id, user_account.name AS user_account_name, user_account.fullname AS user_account_fullname 
FROM user_account 
WHERE user_account.id = ?
2023-10-09 09:04:28,789 INFO sqlalchemy.engine.Engine [generated in 0.00097s] (2,)
2023-10-09 09:04:28,790 INFO sqlalchemy.engine.Engine SELECT address.id AS address_id, address.email_address AS address_email_address, address.user_id AS address_user_id 
FROM address 
WHERE ? = address.user_id
2023-10-09 09:04:28,792 INFO sqlalchemy.engine.Engine [cached since 19.66s ago] (2,)


----

----

----

# SQL Injection

![](https://academy.avast.com/hs-fs/hubfs/New_Avast_Academy/SQL%20injection/What%20is%20a%20SQL%20injection.png?width=660&name=What%20is%20a%20SQL%20injection.png)

SQL injection is a code injection technique that might destroy your database.

SQL injection is one of the most common web hacking techniques.

SQL injection is the placement of malicious code in SQL statements, via web page input.

---

### The main consequences are:

    Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.

    Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.

    Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
    
    Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.


### SQL Injection Based on 1=1 is Always True

![](https://techterms.com/img/xl/sql_injection_1567.png)

In [None]:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;

In [None]:

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;


### SQL Injection Based on ""="" is Always True

In [None]:
 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" 

### SQL Injection Based on Batched SQL Statements 

Most databases support batched SQL statement.

A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

In [None]:
 SELECT * FROM Users; DROP TABLE Suppliers 

### Use SQL Parameters for Protection

To protect a web site from SQL injection, you can use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.