# SQL via SQLAlchemy - Introduction

Goals:

1. to prepare a virtual environment (venv)

2. to install necessary packages into the venv

3. a brief introduction into the SQLite DB-API in Python

4. moving to SQLAlchemy

## Table of Contents

- [Virtual Environment](#virtual-environment)

- [Installing Packages](#installing-packages)

- [SQLite in Python](#sqlite-in-python)

- [SQLAlchemy Rails](#sqlalchemy-rails)

- [Why SQLAlchemy?](#why-sqlalchemy)

- [References](#references)

### Virtual Environment

Not only for this tutotial, but mostly for any project we need a clear isolated environment, which is called a virtual environment (in short, "venv"), to avoid any conflicts with system-wide installed software.

In Python world there is a standard [venv](https://docs.python.org/3/library/venv.html) package. However, when I wanted to set up the sqla (a name from SQLAlchemy) venv for these notes, I got the error:

```shell
╰─➤  python3 -m venv sqla
The virtual environment was not created successfully because ensurepip is not
available.  On Debian/Ubuntu systems, you need to install the python3-venv
package using the following command.

    apt install python3.10-venv

You may need to use sudo with that command.  After installing the python3-venv
package, recreate your virtual environment.

Failing command: %the-path-to-your-venv-directory%
```

The venv package was not pre-installed - not so standard to be shipped along with the Python interpreter incorporated into the Ubuntu 22.04. Ok then, no problem and following the hint.

```shell
╰─➤  sudo apt install python3-venv
[sudo] password for %user%: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-pip-whl python3-setuptools-whl python3.10-venv
The following NEW packages will be installed:
  python3-pip-whl python3-setuptools-whl python3-venv
  python3.10-venv
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,474 kB of archives.
After this operation, 2,888 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
...
Setting up python3-setuptools-whl (59.6.0-1.2ubuntu0.22.04.1) ...
Setting up python3-pip-whl (22.0.2+dfsg-1ubuntu0.3) ...
Setting up python3.10-venv (3.10.12-1~22.04.2) ...
Setting up python3-venv (3.10.6-1~22.04) ...
```

Now the door is open, the venv can be created, so executing the `python3 -m venv sqla` command will create the directory. But that is not enough, **the venv should be activated**:

```shell
╰─➤  source ./sqla/bin/activate
(sqla) ╭─<...@...> ~/Projects/SQL-via-Alchemy  ‹main*› 
╰─➤  
```

As you can see, the "(sqla)" prompt prefix points that the venv is activated. If you need to quit the venv, you can type the `deactivate` command (see the docs for your OS).

Checking the environment:

1. the path to the Python interpreter:

    ```shell
    ╰─➤  which python3
    /home/<...>/Projects/SQL-via-Alchemy/sqla/bin/python3
    ```

2. the path to the Python interpreter:

    ```shell
    ╰─➤  which pip3
    /home/<...>/Projects/SQL-via-Alchemy/sqla/bin/pip3
    ```


### Installing Packages

Have you ever wondered why we installed and activated the virtual environment?! To install needful packages there without breaking (possibly) existing dependencies at the system level.

1. upgrading `pip` to the latest version

    ```shell
    ╰─➤  pip3 install --upgrade pip
    Requirement already satisfied: pip in ./sqla/lib/python3.10/site-packages (22.0.2)
    Collecting pip
    Downloading pip-23.3.1-py3-none-any.whl (2.1 MB)
        ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 5.5 MB/s eta 0:00:00
    Installing collected packages: pip
    Attempting uninstall: pip
        Found existing installation: pip 22.0.2
        Uninstalling pip-22.0.2:
        Successfully uninstalled pip-22.0.2
    Successfully installed pip-23.3.1
    ```

2. installing sqlalchemy since the version 2 (only)

    ```shell
    ╰─➤  pip3 install "sqlalchemy>=2"
    Collecting sqlalchemy>=2
    Downloading SQLAlchemy-2.0.22-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (9.4 kB)
    Collecting typing-extensions>=4.2.0 (from sqlalchemy>=2)
    Downloading typing_extensions-4.8.0-py3-none-any.whl.metadata (3.0 kB)
    Collecting greenlet!=0.4.17 (from sqlalchemy>=2)
    Downloading greenlet-3.0.0-cp310-cp310-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl.metadata (3.8 kB)
    Downloading SQLAlchemy-2.0.22-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.0 MB)
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.0/3.0 MB 7.1 MB/s eta 0:00:00
    Downloading greenlet-3.0.0-cp310-cp310-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl (612 kB)
    ━━━━━━━━━━━━━━━━━━━━━━━━━━ 612.9/612.9 kB 31.8 MB/s eta 0:00:00
    Downloading typing_extensions-4.8.0-py3-none-any.whl (31 kB)
    Installing collected packages: typing-extensions, greenlet, sqlalchemy
    Successfully installed greenlet-3.0.0 sqlalchemy-2.0.22 typing-extensions-4.8.0
    ```

The second version of SQLAlchemy is vital: major API changes and asyncio support. For more details, [SQLAlchemy installation](https://docs.sqlalchemy.org/en/20/intro.html#installation) section is all yours.

Throughout these notes we shall only code in the framework of asynchronous programming.

**A piece of advice**: if you know little or nothing about concurrency, you definitly need to master it. In my humble opinion, a good starter for concurrency in Python is [SuperFastPython](https://superfastpython.com/) site. A well-grounded understanding of Python `asyncio` module and practices can be grasped:

- [SuperFastPython: asyncio learning path](https://superfastpython.com/learning-paths/#Asyncio_Learning_Path)

- [Python Concurrency with asyncio by Matthew Fowler](https://www.manning.com/books/python-concurrency-with-asyncio)

And now, SQLAlchemy is accessible.

In [1]:
import sqlalchemy as sqla
import sqlalchemy.ext.asyncio as async_sqla


print(f"SQLAlchemy version: {sqla.__version__}")

SQLAlchemy version: 2.0.22


### SQLite in Python

Python has a standard [sqlite3](https://docs.python.org/3/library/sqlite3.html) module that provides an SQL interface compliant with the DB-API 2.0 specification to interact with the SQLite ([home page](https://www.sqlite.org/index.html)) library. Feel free to walk through this [SQLite tutorial](https://www.sqlitetutorial.net/sqlite-python/) if you need a refreshment. To install SQLite, you can go along this [tutorial](https://www.sqlitetutorial.net/download-install-sqlite/).

One thing to remember: Python sqlite3 module is for using in synchronous code. For asynchronous code, with `async`` and so forth, we need a DB-API driver (library) with asyncio support. This is achievable with, for example, an [aiosqlite](https://aiosqlite.omnilib.dev/en/stable/) pip-installable package.

In [2]:
import aiosqlite

# in-memory SQLite database - no file is desired for now
aiosqlite_url: str = ":memory:"

In [3]:
async with aiosqlite.connect(aiosqlite_url) as db:
    print(f"Connection = {db}")
    stmt = "SELECT 1 + 1;"
    async with db.execute(stmt) as cursor:
        print(f"Statement = `{stmt}`")
        async for row in cursor:
            print(f"Row = {row}")

Connection = <Connection(Thread-4, started 140026460497472)>
Statement = `SELECT 1 + 1;`
Row = (2,)


Let's practice with aiosqlite and introduce some more SQL code by:

- creating a table

- inserting some data into it

- selecting data from the table depending on our needs

Personally, I don't want to make up an example, so I just downloaded the database from [SQLite Tutorial](https://www.sqlitetutorial.net/sqlite-sample-database/) page. In the [assets](../../assets/) directory ou can find the file with the "chinook.db" database and the ER (Entity-Relation) diagram describing the structure of tables and relations among them. Nevertheless, for educational purposes, get hands a bit dirty would be practicable.

Let's post the ER diagram and pick up something easy to work with.
!["Chinook database ER diagram"](../../assets/sqlite-sample-database-color.jpg "Chinook database ER diagram")

In [4]:
create_playlists_sql = """
CREATE TABLE IF NOT EXISTS playlists (
    id INTEGER PRIMARY KEY,  -- no AUTOINCREMENT is needed
    name NVARCHAR(120)
);
"""

insert_into_playlists_sql = """
INSERT INTO playlists (name)
VALUES ('SQL Rocks!'), ('SQLite as well');
"""

select_from_playlists_sql = """
SELECT * FROM playlists;
"""

# only one statement at a time is allowed
async with aiosqlite.connect(aiosqlite_url) as db:
    print(f"Connection = {db}")
    await db.execute(create_playlists_sql)
    await db.execute(insert_into_playlists_sql)
    await db.commit()  # saving the progress - a checkpoint
    async with db.execute(select_from_playlists_sql) as cursor:
        async for row in cursor:
            print(f"Row = {row}")

Connection = <Connection(Thread-5, started 140026460497472)>
Row = (1, 'SQL Rocks!')
Row = (2, 'SQLite as well')


But let's try again the following code snippet and you'll see that no table "playlists" exists. Can you guess why the progress has gone?

In [5]:
# async with aiosqlite.connect(aiosqlite_url) as db:
#     async with db.execute(select_from_playlists_sql) as cursor:
#         async for row in cursor:
#             print(f"Row = {row}")

Hints:

1. in-memory database

2. closing connection when exiting context manager (with-statement scope)

Let's try a little more manual approach.

In [6]:
db = await aiosqlite.connect(aiosqlite_url)
print(f"Connection = {db}")

# async with db:  # RuntimeError: threads can only be started once
await db.execute(create_playlists_sql)
await db.execute(insert_into_playlists_sql)

Connection = <Connection(Thread-6, started 140026460497472)>


<aiosqlite.cursor.Cursor at 0x7f5a884205b0>

In [7]:
async with db.execute(select_from_playlists_sql) as cursor:
    async for row in cursor:
        print(f"Row = {row}")

print("New transaction")

async with db.execute(select_from_playlists_sql) as cursor:
    async for row in cursor:
        print(f"Row = {row}")

Row = (1, 'SQL Rocks!')
Row = (2, 'SQLite as well')
New transaction
Row = (1, 'SQL Rocks!')
Row = (2, 'SQLite as well')


Working with raw SQL code can be risky because of SQL injections. An SQL injection is a hacker technique allowing to modify SQL code. The code snippet below roughly demonstrates the idea with a few assumptions:

- `executescript` method allows to execute several statements in one piece of code while `execute` will complain

- the attack - an SQL injection code - could have been written in a more sophisticated form, but for simplicity the `injected_stmt` is given as it is. The idea is to show that raw SQL can be turned into a malicious code - security is the factor.

In [8]:
values = "(6, 'value'); DELETE FROM playlists"
injected_stmt = f"INSERT INTO playlists (id, name) VALUES {values}"

print(f"A statement with an SQL-injection: {injected_stmt}")

await db.executescript(injected_stmt)

async with db.execute(select_from_playlists_sql) as cursor:
    async for row in cursor:
        print(f"Row = {row}")


A statement with an SQL-injection: INSERT INTO playlists (id, name) VALUES (6, 'value'); DELETE FROM playlists


Yep, the playlists table exists, but data are deleted from it via `DELETE FROM playlists` command. That is why no `Row = ...` print statement was executed - the cursor object has nothing to give.

Since we have not been executing the statements within an `async with` context manager, the connection is still open. Whenever anything is not needed any longer, it is one of the best practices to do a cleanup - in this way resources, e.g. memory, are exploited sufficiently. So, closing the connection.

In [9]:
await db.close()

### SQLAlchemy rails

Moving from SQLite into SQLAlchemy.

### Why SQLAlchemy?

All right, we know how to interact with a database via aiosqlite DB-API, but how does it relate to SQLAlchemy? Long story short: there are different vendors of databases like PostgreSQL, Oracle and so forth. They have their SQL versions, called SQL-dialects, that must be compatible with the ANSI SQL standard, but not coherent with one another. For instance, a mere `SELECT 1+1;` query will be valid for PostgreSQL, but will fail when processed by Oracle - for Oracle you need `SELECT 1+1 FROM DUAL` query.

So, even by the example of `SELECT 1+1;` query the portability of SQL code cannot be guaranteed from a vendor to a vendor. But SQLAlchemy will generate an SQL code under the hood depending on the vendor specification (roughly speaking).

PostgreSQL case:

![PostgreSQL "select 1+1;"](./postgresql_select_1+1.png "PostgreSQL 'select 1+1;'")

Oracle case (from [Geeks-For-Geeks](https://www.geeksforgeeks.org/dual-table-in-sql/)):

![Oracle "FROM DUAL;"](./oracle_from_dual.png 'Oracle "FROM DUAL;"')

### References

- SQLAlchemy:

  - [SQLAlchemy ORM Tutorial: YouTube](https://www.youtube.com/playlist?list=PL4iRawDSyRvVd1V7A45YtAGzDk6ljVPm1)

  - [SQLAlchemy asyncio tutorial](https://docs.sqlalchemy.org/en/20/orm/extensions/asyncio.html)

- SQLite:

  - [SQLite FAQ](https://www.sqlite.org/faq.html)

  - [aiosqlite docs](https://pypi.org/project/aiosqlite/)

  - [SQLite in SQLAlchemy](https://docs.sqlalchemy.org/en/20/dialects/sqlite.html)

- SQL statements:

  - [W3Schools: CREATE TABLE ...](https://www.w3schools.com/sql/sql_create_table.asp)

  - [W3Schools: INSERT INTO 'tablename' VALUES ...](https://www.w3schools.com/sql/sql_insert.asp)

  - [W3Schools: SELECT ... FROM 'tablename'](https://www.w3schools.com/sql/sql_select.asp)

  - [W3Schools: DELETE FROM 'tablename'](https://www.w3schools.com/sql/sql_delete.asp)