CS108 Lecture 19: The Python DBAPI Sqlite3 database Running SQL and reading results in Python Aaron Stevens 6 March 2013 What You ll Learn Today Review: SQL Review: the Python tuple sequence. How does a custom application program connect to a database? How to get user data into SQL queries? How does the application read the results of SQL statements? 1
The Python tuple sequence tuples are constructed by the comma operator (not within square brackets), with or without enclosing parentheses. t = 4,5,6 print t A single element tuple must have a trailing comma, such as (d,). The Python tuple sequence tuples are very similar to lists, but they are immutable: items in a tuple cannot be changed. tuple elements are accessed by index, or by simultaneous assignment: print t[0] a,b,c = t # unpacking a tuple 2
The Python DB API Python defines a standard API (objects and methods) for interaction with databases. No standard implementation of this interface. 3 rd party developers write their own libraries which conforms to the standard. We will be using 2 different DBMS in CS108: The SQLite3 DBMS comes standard with Python Free, nothing additional to install We ll move to the MySQL DBMS for web-application projects starting in 2 weeks Creating a sqlite3 Connection A Connection is an object that represents the database connection. Import the sqlite3 module Use connection string to specify database file name. Call connect function to obtain a Connection. 3
Obtain a Cursor object A Cursor object is an used to execute transactions (via SQL) against the database. Create the Connection first Ask the Connection object to give you a Cursor object: Executing an SQL Statement Use the Cursor object s execute method to run an SQL statement against the database. Look at the results. What type are these? 4
Processing Query Results After calling the cursor.execute() method, we can process/interpret the results. SELECT queries: results will be zero or more rows of data returned from the database INSERT, UPDATE, and DELETE queries: the result will be the number of rows (zero or more) affected by the change. Processing Query Results SELECT queries: results will be zero or more rows of data returned from the database The method cursor.fetchall() returns a tuple of rows (each row is a tuple of fields). data = cursor.fetchall() We can then process this tuple in the normal fashion using a for loop. 5
Processing Query Results A complete example, processing all rows returned from a SELECT query: Processing Query Results INSERT, UPDATE, and DELETE queries: the result will be the number of rows (zero or more) affected by the change. The attribute cursor.rowcount is an integer, the number of rows affected. 6
How to Commit the Changes? For INSERT, UPDATE, and DELETE queries, you need to execute the method: conn.commit() on the Connection object to commit your changes. It might be a good idea to only commit if the row count is reasonable (e.g. 1, not 2728). Parameterized SQL Most likely, SQL queries in an application will be dependent on some data input by the user. Don t do this: This kind of statement is vulnerable to SQL injection a major security risk. 7
SQL Injection SQL injection is a technique that exploits the syntax of SQL to chain extra statements to an SQL query. Suppose user inputs: BUD ;DROP TABLE stocks AND t = t The resulting SQL becomes: SELECT * from stocks WHERE symbol= BUD ;DROP TABLE stocks AND t = t Don t think the hackers haven t tried this! Parameterized SQL Instead, do this: and put the input parameter into a tuple: 8
Parameterized SQL Also, use parameterized SQL for INSERT statements. (assume variables symbol, name, price, earnings, yield have received user input): sql = INSERT INTO stocks VALUES (?,?,?,?,?) parameters = (symbol,name,price,earnings,yield) cursor.execute(sql, parameters) SQL Injection 9
SQL Injection Source: www.xkcd.com What You Learned Today tuple DBAPI Connection object Cursor object SQL injection! 10
Announcements and To Do Readings: SQL Tutorial (Monday) http://www.firstsql.com/tutor.htm Python DBAPI and sqlite3 (today) http://docs.python.org/library/sqlite3.html Using sqliteclient Program You may use the sqliteclient.py program to experiment with SQL statements: http://cs-webapps.bu.edu/cs108/util/sqliteclient.py Check your SQL statements against this client to rule out SQL syntax errors. Then implement the SQL with parameterized data in your client program. 11