**NOTE: Distributing or uploading this course material to a public repository (e.g., GitHub) is strictly prohibited.**

## **Database Creation**

We want to implement an OpenCourseWare service using SQLite3. Continuing from the first mini-project, we will add one attribute `"added"` in the `"kmooc_learningpath_courses"` table, which indicates the date when a course was added to a learning path.

The given 'create_database_proj2.sql' file contains the definition of the schema and a sample set of the tuples. You can download it from [here](https://drive.google.com/file/d/1GAXDhCxG2RS9tQtRIq7a4i2_fxBs3FIC/view?usp=sharing).

Please see the file for detailed schema. Note that you need to use 'create_database_proj**2**.sql', not 'create_database_proj**1**.sql'.

We will implement several core modules of the service.

In [None]:
from google.colab import drive
drive.mount('/content/drive')

Mounted at /content/drive


In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
# Execute the SQL statements in 'create_database_proj2.sql'.
# If you placed this file in the 'MyDrive' folder, its path is '/content/drive/MyDrive/create_database_proj2.sql'.

f = open("/content/drive/MyDrive/create_database_proj2.sql", 'r')
sql_file = f.read()
f.close()
sql_command = sql_file.split(';')
for command in sql_command:
  cur.execute(command)

conn.commit()
conn.close()

## **Module 1**

We need to extract the information about the courses belonging to the learning paths, which were added from 2021-02-01 to 2021-03-31 (YYYY-MM-DD).

The output table should contain the following columns:
- *added* column from the `"kmooc_learningpath_courses"` table
- *title* column from the `"kmooc_course"` table

Sort the output table in the ascending order of the *added* column.

**Format**:
>```
('2021-03-08', '210+ Exercises - Python - Embedded Modules - A to Z')
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
SELECT lpc.added, c.title
FROM kmooc_learningpath_courses AS lpc
JOIN kmooc_course AS c
ON lpc.course_id = c.id
WHERE date(added) BETWEEN date("2021-02-01") AND date("2021-03-31")
ORDER BY lpc.added ASC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

('2021-02-03', 'C programming - from A to Z')
('2021-02-05', '200+ Exercises - Programming in Python - from A to Z')
('2021-02-17', '150+ Exercises - Programming in C language - from A to Z')
('2021-03-08', '210+ Exercises - Python - Embedded Modules - A to Z')
('2021-03-15', 'Programming in C++ - from A to Z')
('2021-03-22', '150+ Exercises - Programming in C++ - from A to Z')
('2021-03-30', 'Object-oriented programming in Python - OOP - from A to Z')


## **Module 2**

From the *added* column of the `"kmooc_learningpath_courses"` table, extract the month number and show it as the `"month"` column. Also, extract the symbol representing the quarter (`'Q1'`, `'Q2'`, `'Q3'`, `'Q4'`) and show it as the `"quarter"` column.

The output table should contain the following columns:
- *added* column from the table `"kmooc_learningpath_courses"`
- *month* column with the month number
- *quarter* column with the symbol of the quarter

Use the SELECT CASE statement in your solution. Sort the output table in the ascending order of the *added* column.

**Format**:
>```
('2021-02-05', 2, 'Q1')
('2021-05-13', 5, 'Q2')
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
  SELECT added,
    CAST(substr(added, 6, 2) AS INT) "month",
    CASE
      WHEN CAST(substr(added, 6, 2) AS INT) IN (1, 2, 3) THEN "Q1"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (4, 5, 6) THEN "Q2"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (7, 8, 9) THEN "Q3"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (10, 11, 12) THEN "Q4"
      ELSE "FAIL"
    END "quarter"
  FROM kmooc_learningpath_courses
  ORDER BY added ASC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

('2021-01-05', 1, 'Q1')
('2021-01-26', 1, 'Q1')
('2021-02-03', 2, 'Q1')
('2021-02-05', 2, 'Q1')
('2021-02-17', 2, 'Q1')
('2021-03-08', 3, 'Q1')
('2021-03-15', 3, 'Q1')
('2021-03-22', 3, 'Q1')
('2021-03-30', 3, 'Q1')
('2021-04-13', 4, 'Q2')
('2021-05-11', 5, 'Q2')
('2021-05-12', 5, 'Q2')


## **Module 3**

From the *added* column of the `"kmooc_learningpath_courses"` table, extract the symbol representing the quarter (`'Q1'`, `'Q2'`, `'Q3'`, `'Q4'`) and show it as the column `"quarter"`. Then, group the data in the table by `"quarter"`, count the number of all courses added in each quarter, and show it as the `"num_courses"` column.

The output table should contain the following columns:
- *quarter* column with the symbol of the quarter
- *num_courses* column with the number of courses added in a given quarter

Use the SELECT CASE statement in your solution. Sort the output table in the ascending order of the *quarter* column.

**Format**:
>```
('Q1', 8)
('Q2', 12)
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
  SELECT
    CASE
      WHEN CAST(substr(added, 6, 2) AS INT) IN (1, 2, 3) THEN "Q1"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (4, 5, 6) THEN "Q2"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (7, 8, 9) THEN "Q3"
      WHEN CAST(substr(added, 6, 2) AS INT) IN (10, 11, 12) THEN "Q4"
      ELSE "FAIL"
    END "quarter",
    count("quarter") "num_courses"
  FROM kmooc_learningpath_courses
  GROUP BY "quarter"
  ORDER BY "quarter" ASC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

('Q1', 9)
('Q2', 3)


## **Module 4**

From the *added* column of the `"kmooc_learningpath_courses"` table, for each learning path in the table, extract the number of days passed from the date when the first course was added to the date when the last course was added. Show it as the `"num_days_passed"` column.

The output table should contain the following columns:
- *learningpath_id* column
- *num_days_passed* column with the number of days between the first and last courses

Use JulianDay() to calculate the number of days between two dates. You can use Cast() to print integer (not float) values for the second column as below. Sort the output table in the descending order of the *num_days_passed* column.

**Format**:
>```
(1, 30)
(2, 25)
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
SELECT learningpath_id,
	cast(julianday(max(added)) - julianday(min(added)) AS INT) num_days_passed
FROM kmooc_learningpath_courses
GROUP BY learningpath_id
ORDER BY num_days_passed DESC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

(3, 126)
(2, 58)
(1, 14)


## **Module 5**

From the *added* column of the `"kmooc_learningpath_courses"` table, for each learning path in the table, extract the number of days passed since the last course was added, as of 2021-09-25 (assuming that today is 2021-09-25). Show it as the `"num_days_passed"` column.

The output table should contain the following columns:
- *learningpath_id* column
- *num_days_passed* column with the number of days passed since the last addition

Use JulianDay() to calculate the number of days between two dates. You can use Cast() to print integer (not float) values for the second column as below. Sort the output table in the descending order of the *num_days_passed* column.

**Format**:
>```
(1, 230)
(2, 125)
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
SELECT DISTINCT learningpath_id,
	cast(julianday("2021-09-25") - julianday(max(added)) AS INT) num_days_passed
FROM kmooc_learningpath_courses
GROUP BY learningpath_id
ORDER BY num_days_passed DESC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

(1, 220)
(3, 137)
(2, 136)


## **Module 6**

The `"kmooc_instructor"` table contains two records. Using the appropriate statement, insert another record with the following data:

> `(3, "Mike", "Json", "Python Developer")`

Commit the changes and execute the command which will display the contents of the `"kmooc_instructor"` table in the ascending order of the *id* column.

Note that if the new record is already in the table, no error should occur, and the SQL statement should be just ignored.

Display the following columns in the output table:
- *id* column from the `"kmooc_instructor"` table
- *instructo*r - concatenation of the *first_name* and *last_name* columns with a space character (`"kmooc_instructor"` table)
- *description* column from the `"kmooc_instructor"` table

**Format**:
>```
(3, 'Mike Json', 'Python Developer')
...
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

# Enter your solution here
cur.execute("""
REPLACE INTO "kmooc_instructor"
("id", "first_name", "last_name", "description")
VALUES (3, "Mike", "Json", "Python Developer");
""")
conn.commit()
cur.execute("""
SELECT id,
	first_name || ' ' || last_name "name",
	description
FROM kmooc_instructor
ORDER BY id ASC;
""")
for row in cur.fetchall():
  print(row)

conn.commit()
conn.close()

(1, 'James Smith', 'Data Scientist')
(2, 'Mary Brown', 'Programmer')
(3, 'Mike Json', 'Python Developer')


## **Module 7**

When working with databases, we will often want to use the values of variables in our queries. Let's assume that we want to execute the following query using the *instructor_id* variable passed from a user.

> ```
cur.execute(
    f'SELECT * FROM "kmooc_instructor" WHERE "id" = {instructor_id}'
)

A malicious user passed the following value for the *instructor_id* variable:

> ```
instructor_id = '2; DELETE FROM "kmooc_instructor"'

Execute this query. Then, in response, display the number of records in the `"kmooc_instructor"` table. This attack is called **SQL injection** and should be prevented. This module is not required to fill in SQL statements. Just experience this type of attacks.

**Expected result**:
>```
0
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

instructor_id = '2; DELETE FROM "kmooc_instructor"'

cur.executescript(
    f'SELECT * FROM "kmooc_instructor" WHERE "id" = {instructor_id}'
)
conn.commit()

cur.execute('SELECT COUNT(*) FROM "kmooc_instructor"')
num_rows = cur.fetchall()[0][0]
print(num_rows)

conn.close()

0


## **Module 8**

Let's try to protect SQL injection. Let's change the above query in Module 7 such that it is safe to SQL injection. Only the `cur.executescript(...)` command should be replaced with `cur.execute(...)`. You must not add any code for checking the variable.

Hint: Use the named placeholder (named style) and see https://docs.python.org/3/library/sqlite3.html for details.

After excuting the query, the number of records should stay as 2.

Also, when the *instructor_id* variable has a legal value, the SQL query should return normal results.

**Expected result**:
>```
2
(2, 'Mary', 'Brown', 'Programmer')
```

Print the result using the code cell below.

In [None]:
import sqlite3

conn = sqlite3.connect('kmooc.sqlite3')
cur = conn.cursor()

with open('/content/drive/MyDrive/create_database_proj2.sql', 'r', encoding='utf-8') as file:
    sql = file.read()

cur.executescript(sql)

instructor_id = '2; DELETE FROM "kmooc_instructor"'

# Fill in the inside of the command for your solution
# cur.execute(
# Compose a SQL statement to retrieve the instructor information with a variable
# ...
# )
cur.execute("""
SELECT * FROM "kmooc_instructor" WHERE "id" = :instructor_id
""", {"instructor_id": instructor_id})
conn.commit()

cur.execute('SELECT COUNT(*) FROM "kmooc_instructor"')
num_rows = cur.fetchall()[0][0]
print(num_rows)

instructor_id = 2

# Repeat the above cur.execute(...) here
cur.execute("""
SELECT * FROM "kmooc_instructor" WHERE "id" = :instructor_id
""", {"instructor_id": instructor_id})

# Here, the correct result should be returned
for row in cur.fetchall():
    print(row)

conn.close()

2
(2, 'Mary', 'Brown', 'Programmer')
