
# Connecting SQL to Python

In [1]:
import pandas as pd

# Markdown

Jupyter Notebooks accepts Markdown, which accepts SQL like syntax

```sql
SELECT movie_id,
       international_sales
  FROM my_table
 WHERE id = 10;
```

In [2]:
# running strings with markdown
from IPython.display import display, Markdown

def pprint(query):
    """A helper function to display a string with a sql-like markdown syntax """
    
    display(Markdown(f'''```mysql 
    {query}```'''))

In [3]:
pprint('SELECT * FROM my_table')

```mysql 
    SELECT * FROM my_table```

In [None]:
pprint('''
SELECT movie_id,
       international_sales
  FROM movie_info
 WHERE id = 10;''')

# Datasets

In [None]:
movies = pd.read_csv('data/movies.csv')
movie_info = pd.read_csv('data/movie_info.csv')
buildings = pd.read_csv('data/buildings.csv')
employees = pd.read_csv('data/employees.csv')
cities = pd.read_csv('data/cities.csv')

# Connect to database

## We'll use an API (Application Programming Interface) to connect to our database.

SQLAlchemy is the Python SQL toolkit and Object Relational Mapper that gives application developers the full power and flexibility of SQL.

In [None]:
!pip install SQLAlchemy

In [None]:
# WINDOWS:
!pip install psycopg2

# for MACBOOK (MacOS) users, install the following:
# !pip install psycopg2-binary

In [None]:
import sqlalchemy as db


To connect to a database you will usually pass something called `connection string` or `database url` For sqlalchemy it consists of:
- **DB server name** (`mysql`, `postgresql`, `mongodb`) --> official name: _dialect_ 
- **[+driver]** --> Optional driver name, the name of the API to connect with the DB (`psycopg2`, `pyodbc`) 
- ://**username:password** --> password you set up when created database on pgadmin4 for instance
- @**hostname** --> when running locally (`localhost` or `127.0.0.1`), in practice a url provided by the admin.
- /**database name** name of the specific database database you're connecting to (`review`)

In [None]:
import sqlalchemy as db

# create the engine
engine = db.create_engine('postgresql://postgres:admin@localhost/datapt_202007')

# localhost = 127.0.0.1

# open the connection
conn = engine.connect()

In [None]:
db_server = 'postgresql'
user = 'postgres'
password = 'admin'
ip = 'localhost'
db_name = 'datapt_202007'

# create the engine
engine = db.create_engine(f'{db_server}://{user}:{password}@{ip}/{db_name}')

# open the connection
conn = engine.connect()

# CREATING TABLE via python

The pandas module has built-in functionalities that handles that for you ♥️

In [None]:
employees.head()

In [None]:
employees.to_sql(name='employees', con=conn)

In [None]:
employees.to_sql(name='employees', con=conn, if_exists='replace', index=False )

## READING TABLE via python

In [None]:
# run a query by specifying the query as a string in python 
pd.read_sql_query('SELECT years_employed, building FROM employees;', con=conn)

## You can read a table directly 

In [None]:
pd.read_sql_table('employees', con=conn)

In [None]:
pd.read_sql('SELECT * FROM employees', con=conn)

# Inserting all tables into database:

In [None]:
movies.to_sql('movies', conn, if_exists='replace', index=False)
employees.to_sql('employees', conn, if_exists='replace', index=False)
cities.to_sql('cities', conn, if_exists='replace', index=False)
movie_info.to_sql('movie_info', conn, if_exists='replace', index=False)
buildings.to_sql('buildings', conn, if_exists='replace', index=False)

## Let's check that

In [None]:
query = '''
SELECT  id, 
        title, 
        director
  FROM movies'''

In [None]:
pprint(query)
pd.read_sql(query, con=conn)

## Important to understand

Note that when you `pd.read_sql('SELECT * FROM table')`, you are effectivelly sending the string to the PostgreSQL server and the code is being executed **there!** ♥️. Nothing is being executed on Python. The result is then transfered to Python and transformed into a dataframe. But if you have a HUGE table in your database, you can perform the operations there and then bring only the results to your pandas dataframe.

-----------

# SQL review via mini-challenges.

## SELECT queries

For the `movies` table:

1. Find the title of each film
2. Find the director of each film
3. Find the title and director of each film
4. Find the title and year of each film
5. Find all the information about each film

In [None]:
query = '''
SELECT title 
  FROM movies;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 3 

query = '''
SELECT title, 
       director 
  FROM movies'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 5

query = 'SELECT * FROM movies'

pprint(query)
pd.read_sql(query, con=conn)

## WHERE clause - filters

1. Find the movie with a row id of 6 and 3
2. Find the movies released in the years between 2000 and 2010
3. Find the movies not released in the years between 2000 and 2010
4. Find the first 5 Pixar movies and their release year (suppose id is given in order)

In [None]:
query = '''
SELECT * 
  FROM movies
 WHERE id = 3 OR id = 6;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT * 
  FROM movies
 WHERE id IN (3,6,8);
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT * 
  FROM movies
 WHERE title IN ('Cars', 'Ratatouille','Up');
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
selected_movie = ('Up', 'Cars')

In [None]:
query = f'''
SELECT * 
  FROM movies
 WHERE title IN {selected_movie};
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
selected_movie = input('Which movie do you want?')

In [None]:
query = f'''
SELECT * 
  FROM movies
 WHERE title = '{selected_movie}';
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 3

query = '''
SELECT *
  FROM movies
 WHERE year >= 2000 AND year < 2010 
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 3

query = '''
SELECT *
  FROM movies
 WHERE year BETWEEN 2000 AND 2009 
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 4

query = '''
SELECT *
  FROM movies
 WHERE year NOT BETWEEN 2000 AND 2009 
'''

pprint(query)
df = pd.read_sql(query, con=conn)

In [None]:
df.sort_values(by='year', ascending=False)

In [None]:
my_queries = ['SELECT * FROM movies' for i in range(2)]

In [None]:
query = '\nUNION ALL\n'.join(my_queries)

In [None]:
pprint(query)

In [None]:
pd.read_sql(query, con=conn)

In [None]:
pd.concat([movies, movies]).reset_index(drop=True)

In [None]:
tables = ['financial_boleto', 'financial_cheque', 'financial_cartao']
my_queries = []
for table in tables:
    for year in [201801, 201802, 201803]:    
        my_queries.append(f'''SELECT * FROM {table}_{year}''')

In [None]:
pprint('\nUNION ALL\n'.join(my_queries))

In [None]:
pd.concat([df, df])

## LIKE clause, % and _

1. Find all the Toy Story movies
2. Find all the movies directed by John Lasseter
3. Find all the movies (and director) not directed by John Lasseter
4. Find all the WALL-* movies

In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title LIKE 'Toy %'
 """
pprint(query)
pd.read_sql(query, conn)


### Regex PostgreSQL

In [None]:
movies

In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title ~ 'Toy [Ss]tory \d'
"""

pd.read_sql(query, conn)

In [None]:
query = """
SELECT * 
  FROM movies 
 WHERE title ~ '^[A-F].*'
"""

pd.read_sql(query, conn)

## ORDER BY clause, DISTINCT, OFFSET

1. List all directors of Pixar movies (alphabetically), without duplicates
2. List the last four Pixar movies released (ordered from most recent to least)
3. List the first five Pixar movies sorted alphabetically
4. List the next five Pixar movies sorted alphabetically

In [None]:
# 1

query = '''
SELECT DISTINCT director 
  FROM movies
 ORDER BY director DESC
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 1

query = '''
SELECT director 
  FROM movies
 GROUP BY director
 ORDER BY director
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 5

query = '''
SELECT * 
  FROM movies
 ORDER BY year
 LIMIT 5
'''
pprint(query)
pd.read_sql(query, con=conn)

In [None]:
# 5

query = '''
SELECT * 
  FROM movies
 ORDER BY year
 LIMIT 5 
 OFFSET 5
'''
pprint(query)
pd.read_sql(query, con=conn)

-------------

## JOINS - Inner joins

From tables `movies` and `movie_info`

1. Find the domestic and international sales for each movie
2. Show the sales numbers for each movie that did better internationally rather than domestically
3. List all the movies by their ratings in descending order

In [None]:
pd.read_sql('movie_info', con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       LEFT JOIN
       movie_info AS MI
    ON M.id = MI.movie_id
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       movie_info AS MI
    ON M.id = MI.movie_id AND MI.international_sales > MI.domestic_sales;
'''

pprint(query)
pd.read_sql(query, con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       LEFT JOIN
       movie_info AS MI
    ON M.id = MI.movie_id
 WHERE MI.international_sales > MI.domestic_sales
'''

pprint(query)
pd.read_sql(query, con=conn)

### Optimizing the query using subqueries:

In [None]:
pd.read_sql('SELECT * FROM movie_info WHERE international_sales > domestic_sales', con=conn)

In [None]:
query = '''
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       (SELECT * FROM movie_info WHERE international_sales > domestic_sales) AS MI
    ON M.id = MI.movie_id
 
'''

pprint(query)
pd.read_sql(query, con=conn)

### Organizing stuff using `Common Table Expressions (CTEs)`
The `WITH` syntax

https://www.geeksforgeeks.org/sql-with-clause/

In [None]:
query = '''

WITH international_better AS (
-- This table contains information where sales are better internationally
SELECT * FROM movie_info WHERE international_sales > domestic_sales
),
-- bring sales info from international_better table
joined_table AS (
SELECT M.id,
       M.title,
       M.director,
       M.year,
       M.length_minutes,
       MI.domestic_sales,
       MI.international_sales
  FROM movies AS M
       INNER JOIN
       international_better AS MI
    ON M.id = MI.movie_id
)
SELECT * 
  FROM joined_table
 
'''

pprint(query)
pd.read_sql(query, con=conn)

## JOINS - Outer joins + NULLs

From table `buildings` and `employees`

1. Find the list of all buildings that have employees
2. Find the list of all buildings and their height
3. List all buildings and the distinct employee roles in each building (including empty buildings)
4. Find the name and role of all employees who have not been assigned to a building
5. Find the names of the buildings that hold no employees

In [None]:
#employees
query = '''
SELECT A.*,
       B.*
  FROM employees AS A
       LEFT JOIN
       buildings AS B
    ON A.building = B." building_name"
 WHERE A.building IS NULL
'''

pd.read_sql(query, con=conn)


## Performing calculations inside queries

- `CASE WHEN` syntax

From tables `movies` and `movie_info`: 

0. Create a variable called `fl_post_millenium` which results in 1 if the year is >= 2000 else 0
1. List all movies and their combined sales in millions of dollars
2. List all movies and their ratings in percent
3. List all movies that were released on even number years

In [None]:
# 0: CASE WHEN

pd.read_sql('''
SELECT A.id,
       A.title,
       A.director,
       A.year,
       A.length_minutes,
       B.rating,
       (CASE WHEN A.year >= 2000 THEN B.rating ELSE 0 END) AS fl_post_millenium
  FROM movies AS A
       INNER JOIN
       movie_info AS B
    ON A.id = B.movie_id   
    ;
''', con=conn)

# Group by's and aggregations - MAX, AVG, SUM

From tables `employees` and `buildings`

1. Find the longest time that an employee has been at the Empire State
2. For each role, find the average number of years employed by employees in that role
3. Find the total number of employee years worked in each building

In [None]:
# 1 

query = '''
SELECT role, 
       AVG(years_employed) 
  FROM employees
 GROUP BY role;
'''

pd.read_sql(query, con=conn)


In [None]:
# 1 

query = '''
SELECT director, 
       COUNT(*)
  FROM movies
 GROUP BY director;
'''

pd.read_sql(query, con=conn)


In [None]:
# 1 

query = '''
SELECT director, 
       SUM(CASE WHEN year > 2000 THEN 1 ELSE 0 END) AS qtd_movies
  FROM movies
 GROUP BY director;
'''

pd.read_sql(query, con=conn)

-- The order of SQL queries: 
> https://jvns.ca/blog/2019/10/03/sql-queries-don-t-start-with-select/ (really good blog)

----

# EXTRA: ❌ DANGER ❌


# SQL Injection


0. Search for vulnerabilities.
> `inurl:index.php?id=1`

1. Enter the website 

2. Check if it is vulnerable to SQL-injection 
> plug a backtick (`) at the end of the id=1 query

> https://security.stackexchange.com/questions/121204/dumping-custom-query-via-sql-injection-when-output-is-in-the-die-function

**Important Note**: SQL injection is not legal. Train elsewhere https://ringzer0ctf.com/

In [None]:
df = pd.DataFrame(data=[('andre','admin'), 
                        ('matheus','qwerty'),
                        ('rai','1234567890'), 
                        ('lucas','0987654321')], 
                  columns=['username', 'password'])

In [None]:
df

In [None]:
df.to_sql('user_info', con=conn, if_exists='replace', index=False)

In [None]:
username = 'andre'
password = 'admin'

pd.read_sql(f"""
SELECT * FROM user_info WHERE username = '{username}' AND password = '{password}'
""", con=conn)

In [None]:
def check_access(username, password):
    
    query = f"SELECT * FROM user_info WHERE username = '{username}' AND password = '{password}'"
    pprint(query)
    if pd.read_sql(query, con=conn).shape[0] != 0:
        print('ACCESS GRANTED!')
    else:
        print('ACCESS DENIED!')

In [None]:
check_access()