# Databases

* we will study how to connect to a SQL database using Python
* we will use sqlite3:
    * a very small, portable database written in C
    * stores data in *.sqlite files
    * webpage http://sqlite.org
    * can be downloaded from http://sqlite.org/download.html (choose both dll and tools packages)
* sqlite3 driver (= library to connect to sqlite3) is part of python standard library
* many SQL databases can be accessed from Python in the same way (using Python Database API Specification v2.0 (PEP 249)).


## Using the sqlite3 package

In order to connect to a database, we need to:

1. use the ``connect`` method to open a *connection* to the database
1. use the ``cursor`` method of the connection to get a curso
1. and finally can use the ``execute`` method of the cursor to execute SQL statemente

We can use the same cursor to execute more than one query.

In [1]:
import sqlite3
conn = sqlite3.connect('exampleclass.db')
cursor = conn.cursor()


We can now use the cursor:

In [2]:
sql = '''CREATE TABLE contacts (
    name text, 
    tel text, 
    age integer
)'''

cursor.execute(sql)


<sqlite3.Cursor at 0x4dc8490>

In [3]:
name = 'christoph'
tel = '123'
age = 25

#sql2 = "insert into contacts values ('" +name+ "' ,'" + tel+ "'," + str(age) + ")" 
#print(sql2)

#cursor.execute(sql2)

insert into contacts values ('christoph' ,'123',25)


Simple queries without user supplied values can be entered using a simple SQL string. 

If the query contains user-supplied values, we should:

* add a ``?`` as a placeholder in the query-string
* supplies the values as a second parameter to the execute statement (wrapped in a tuple)

This prevents **SQL injection**

In [12]:
cursor.execute("insert into contacts values (?, ?, ?)", 
               ("Christoph", "12345", 38))
cursor.execute("insert into contacts values (?, ?, ?)", 
               ("Susanne", "87654", 32))

<sqlite3.Cursor at 0x10d4f68f0>

In [5]:
print(cursor.execute("insert into contacts values (?, ?, ?)", 
               ("Christoph", "12345", 38)).fetchone())

None


## Values returned from a DB

We have the following ways of getting the values from an executed SQL statement:

* use the cursor as an iterator
* use the ``fetchone`` method to get back one row
* use the ``fetchall`` method to get all rows back as a list

these methods return the contents of a single row as a tuple

In [13]:
for row in cursor.execute("select * from contacts"):
    print(row)

('Christoph', '12345', 38)
('Susanne', '87654', 32)


In [14]:
data =  cursor.execute("select * from contacts").fetchone()
print(data)

('Christoph', '12345', 38)


In [15]:
allrows = cursor.execute("select * from contacts").fetchall()
print(allrows)

[('Christoph', '12345', 38), ('Susanne', '87654', 32)]


In [16]:
conn.commit()

In [None]:
{
   'customer': "Christoph",
   'date': "2016-05-18",
   'items': [
        {
           "name": "iPhone",
           "price": 5288.0,
           "number": 2
        },
        {
           "name": "iPad mini",
           "price": 2588.0,
           "number": 1
        },
        {
           "name": "macbook",
           "price": 8288.0,
           "number": 1
        }
    ]
}

def insert_order(order):
    sql_order = '''insert into table orders 
        (customer, date) values (?, ?)'''
    order_vals = (order['customer', order['date'])

    cursor.execute(sql_order, order_vals)
    auto_id = #last generated id
    sql_item = '''insert into table order_items values (?,?,?,?)'''
    for item in order['items']:
        cursor.execute(sql_item, (auto_id,
                                  item['name'],
                                  item['price'],
                                  item['number']))
        

## SQL injection

**Never**, **never**, **never** build up your queries by appending user supplied values to a string! This can lead to SQL injection.

Example (don't something like this): we want to get the telephone number corresponding to a name

In [7]:
user_value = 'Christoph'

sql = "select tel from contacts where name = '" + user_value + "'"

for row in cursor.execute(sql):
    print(row[0])

12345
12345


What happens when the user enters the following `name`:

In [8]:
user_value = "Christoph'; drop table contacts --"

sql = "select tel from contacts where name = '" + user_value + "'"

for row in cursor.execute(sql):
    print(row[0])

Warning: You can only execute one statement at a time.

So, actually sqlite3 prevents us from dropping the table. This will not work with other databases (like PostGreSQL)...

## Commit and rollback

If you want to make your changes to the database persist after the connection is closed, you need to use `commit()` to save the changes to the database, you can also use `rollback` to rollback the changes since the last commit.


In [17]:
cursor.execute("""
create table accounts (
    id integer,
    name text,
    amount float
)
""")

<sqlite3.Cursor at 0x10d4f68f0>

In [23]:
cursor.execute('insert into accounts values(?, ?, ?)', (1, 'chris', 1000))

<sqlite3.Cursor at 0x10d4f68f0>

In [24]:
cursor.execute('insert into accounts values(?, ?, ?)', (2, 'phil', 2000))

<sqlite3.Cursor at 0x10d4f68f0>

In [25]:
conn.commit()

In [44]:
class InsufficientAmount(Exception):
    pass

cursor = conn.cursor()

### code to make a transaction:
def make_trans(from_id, to_id, amount):
    sql_check_amount = 'select amount from accounts where id = ?' 
    available = cursor.execute(sql_check_amount, (from_id,)).fetchone()[0]
    if available < amount:
        raise InsufficientAmount
    sql1 = '''update accounts set amount = amount - ? where id = ?'''
    cursor.execute(sql1, (amount, from_id))
    if not cursor.execute('select id from accounts where id = ?', (to_id,)).fetchone():
        conn.rollback()
        raise Exception
    sql2 = '''update accounts set amount = amount + ? where id = ?'''
    cursor.execute(sql2, (amount, to_id))
    sql3 = '''insert into transactions values(?, ?, ?)'''
    cursor.execute(sql3, (from_id, to_id, amount))
    conn.commit()
    
make_trans(2,1,  100)

In [41]:
make_trans(100, 1, 100)

TypeError: 'NoneType' object is not subscriptable

You can also use the connection with a context manager: changes are automatically committed if no exception occurs. In case of an exception, the changes are rolled back:

In [None]:
##code to make an tran    

## Now we load the dataset

I'm so **excited** we finally load the dataset

In [45]:
def load_data(filename):
    pass

print(5 * 6)

30
