Mosky Liu, profile picture
Uploaded byMosky Liu
PDF, PPTX1,487 views

MoSQL: More than SQL, but less than ORM

The document discusses the advantages and disadvantages of using SQL versus ORM (Object-Relational Mapping), outlining various syntax examples and highlighting SQL's speed and ancient nature compared to ORMs which may be slower but modern. It also touches on security issues such as SQL injection and presents 'mosql', a SQL builder that aims to be faster, easier to learn, and secure by default. The conclusion encourages the use of mosql for its convenience and performance benefits.

Embed presentation

Download as PDF, PPTX
1 MoSQLMoSQL MoskyMosky
2 More than SQL, but Less than ORMMore than SQL, but Less than ORM MoSQLMoSQL
3 OutlineOutline ● Why not SQL?Why not SQL? ● Why ORM?Why ORM? ● MoSQLMoSQL – SQL BuildersSQL Builders – Model of Result SetModel of Result Set ● ConclusionConclusion
4 Why not SQL?Why not SQL?
5 SQL SyntaxSQL Syntax ● SELECT * FROM article;SELECT * FROM article; ● SELECT * FROM article LIMIT 1;SELECT * FROM article LIMIT 1; ● add “ ORDER BY created ”?add “ ORDER BY created ”? ● add “ OFFSET 10 ”?add “ OFFSET 10 ”? ● add “ GROUP BY author ”?add “ GROUP BY author ”? ● Is “ UPDATE article WHERE title='SQL' SETIs “ UPDATE article WHERE title='SQL' SET title='ORM' ” correct?title='ORM' ” correct?
6 !@#$%!@#$%
7 SQL InjectionSQL Injection ● ') or '1'='1') or '1'='1 ● ' or true; --' or true; -- ● ' or 1=1; --' or 1=1; -- ● ' or 2=2; --' or 2=2; -- ● ' or 'str'='str'; --' or 'str'='str'; -- ● ……
8 It may be hacker friendly.It may be hacker friendly.
9 SQL seems ancient, but ...SQL seems ancient, but ...
10 using SQL is theusing SQL is the FASTESTFASTEST way.way.
11 Why ORM?Why ORM?
12 ORM SyntaxORM Syntax class User(Base):class User(Base): __tablename__ = 'users'__tablename__ = 'users' name = Column(String)name = Column(String) fullname = Column(String)fullname = Column(String) password = Column(String)password = Column(String)
13 ORM Syntax (cont.)ORM Syntax (cont.) >>> fake_user = User('fakeuser', 'Invalid',>>> fake_user = User('fakeuser', 'Invalid', '12345')'12345') >>> session.add(fake_user)>>> session.add(fake_user) >>> for row in session.query(User,>>> for row in session.query(User, User.name).all():User.name).all(): ... print row.User, row.name... print row.User, row.name
14 hmmm …hmmm …
15 SQL InjectionSQL Injection ● ' or true; --' or true; -- ● ' or 1=1; --' or 1=1; -- ● ' or 1=1; #' or 1=1; # ● ' or 1=1; /*' or 1=1; /* ● ') or '1'='1') or '1'='1 ● …… ● SaferSafer
16 It's good!It's good!
17 ORM seems modern, but ...ORM seems modern, but ...
18 the most of ORMs are SLOW.the most of ORMs are SLOW.
19 SQL < ______ < ORMSQL < ______ < ORM
20 SQL < MoSQL < ORMSQL < MoSQL < ORM
21 SQL BuildersSQL Builders
22 SQL Builders (cont.)SQL Builders (cont.) >>> from mosql.build import *>>> from mosql.build import * >>>>>> select('pycon')select('pycon') SELECT * FROM "pycon"SELECT * FROM "pycon" >>> select('pycon',>>> select('pycon', {'id': 'mosky'}{'id': 'mosky'})) SELECT * FROM "pycon" WHERE "id" = 'mosky'SELECT * FROM "pycon" WHERE "id" = 'mosky'
23 SQL Builders (cont.)SQL Builders (cont.) >>> insert('pycon',>>> insert('pycon', {'yr': 2013, 'id': 'masky'}{'yr': 2013, 'id': 'masky'})) INSERT INTO "pycon" ("id", "yr") VALUES ('masky', 2013)INSERT INTO "pycon" ("id", "yr") VALUES ('masky', 2013) >>> update('pycon',>>> update('pycon', ...... where={'id': 'masky'}where={'id': 'masky'},, ...... set ={'id': 'mosky'}set ={'id': 'mosky'} ... )... ) UPDATE "pycon" SET "id"='mosky' WHERE "id" = 'masky'UPDATE "pycon" SET "id"='mosky' WHERE "id" = 'masky'
24 SQL Builders (cont.)SQL Builders (cont.) ● insert(table,insert(table, setset, …), …) ● select(table,select(table, wherewhere, …), …) ● update(table,update(table, wherewhere,, setset, …), …) ● delete(table,delete(table, wherewhere, …), …) ● ......
25 If you like it,If you like it,
26 sudo pip install mosqlsudo pip install mosql
27 Model of Result SetModel of Result Set
28 Model: Configure ConnectionModel: Configure Connection import psycopg2.poolimport psycopg2.pool from mosql.result import Modelfrom mosql.result import Model pool = psycopg2.pool.SimpleConnectionPool(1, 5,pool = psycopg2.pool.SimpleConnectionPool(1, 5, database='mosky')database='mosky') class PostgreSQL(Model):class PostgreSQL(Model): getconn = pool.getconngetconn = pool.getconn putconn = pool.putconnputconn = pool.putconn
29 Model: Set the Name of TableModel: Set the Name of Table class Person(PostgreSQL):class Person(PostgreSQL): table = 'person'table = 'person' >>> Person.select(>>> Person.select({'person_id': 'mosky'}{'person_id': 'mosky'})) {'name': ['Mosky Liu'], 'person_id': ['mosky']}{'name': ['Mosky Liu'], 'person_id': ['mosky']} >>> Person.where(person_id=>>> Person.where(person_id=('andy', 'mosky')('andy', 'mosky'))) {'name': ['Andy Warhol', 'Mosky Liu'], 'person_id':{'name': ['Andy Warhol', 'Mosky Liu'], 'person_id': ['andy', 'mosky']}['andy', 'mosky']}
30 Model: Make QueriesModel: Make Queries Person.Person.selectselect({'person_id': 'mosky'})({'person_id': 'mosky'}) Person.Person.insertinsert({'person_id': 'tina'})({'person_id': 'tina'}) Person.Person.updateupdate(( where={'person_id': 'mosky'},where={'person_id': 'mosky'}, set ={'name' : 'Yiyu Liu'}set ={'name' : 'Yiyu Liu'} )) Person.Person.deletedelete({'person_id': 'tina'})({'person_id': 'tina'})
31 Model: Squash ColumnsModel: Squash Columns class Person(PostgreSQL):class Person(PostgreSQL): table = 'person'table = 'person' squashed = set(['person_id', 'name'])squashed = set(['person_id', 'name']) >>> Person.select({'person_id': 'mosky'})>>> Person.select({'person_id': 'mosky'}) {'name':{'name': 'Mosky Liu''Mosky Liu', 'person_id':, 'person_id': 'mosky''mosky'}} >>> Person.where(person_id=('andy', 'mosky'))>>> Person.where(person_id=('andy', 'mosky')) {'name':{'name': 'Andy Warhol''Andy Warhol', 'person_id':, 'person_id': 'andy''andy'}}
32 Model: ArrangeModel: Arrange class Person(PostgreSQL):class Person(PostgreSQL): ...... arrange_by = ('person_id', )arrange_by = ('person_id', ) >>> for person in Person.arrange(>>> for person in Person.arrange({'person_id':{'person_id': ('andy', 'mosky')}('andy', 'mosky')}):): ... print person... print person {'name': 'Andy Warhol', 'person_id': 'andy'}{'name': 'Andy Warhol', 'person_id': 'andy'} {'name': 'Mosky Liu', 'person_id': 'mosky'}{'name': 'Mosky Liu', 'person_id': 'mosky'}
33 Model: Arrange (cont.)Model: Arrange (cont.) >>> for detail in>>> for detail in DetailDetail.arrange({'person_id':.arrange({'person_id': ('mosky', 'andy')}):('mosky', 'andy')}): ... print detail... print detail ...... {'detail_id': [5],{'detail_id': [5], 'key': 'email','key': 'email', 'person_id': 'andy','person_id': 'andy', 'val': ['andy@gmail.com']}'val': ['andy@gmail.com']} ......
34 Model: FindModel: Find class Person(PostgreSQL):class Person(PostgreSQL): ...... arrange_by = ('person_id', )arrange_by = ('person_id', ) >>> for person in Person.>>> for person in Person.findfind((person_id=('andy',person_id=('andy', 'mosky')'mosky')):): ... print person... print person {'name': 'Andy Warhol', 'person_id': 'andy'}{'name': 'Andy Warhol', 'person_id': 'andy'} {'name': 'Mosky Liu', 'person_id': 'mosky'}{'name': 'Mosky Liu', 'person_id': 'mosky'}
35 Model: Identify a RowModel: Identify a Row class Person(PostgreSQL):class Person(PostgreSQL): ...... ident_by = ('person_id', )ident_by = ('person_id', )
36 Model: ModificationModel: Modification >>> p = Person.where(person_id='mosky')>>> p = Person.where(person_id='mosky') >>>>>> p['name'] = 'Yiyu Liu'p['name'] = 'Yiyu Liu' >>>>>> p.name = 'Yiyu Liu'p.name = 'Yiyu Liu' >>> p.save()>>> p.save() >>> d =>>> d = DetailDetail.where(.where(person_id='mosky', key='email'person_id='mosky', key='email')) >>>>>> p['val'][0] = '<modified email>'p['val'][0] = '<modified email>' >>>>>> p.val[0] = '<modified email>'p.val[0] = '<modified email>' >>> p.save()>>> p.save()
37 Model: Pop and AppendModel: Pop and Append >>> d = Detail.where(>>> d = Detail.where(person_id='mosky', key='email'person_id='mosky', key='email')) >>>>>> p.pop(-1)p.pop(-1) >>>>>> p.append({'val': '<new mail>'})p.append({'val': '<new mail>'}) >>> p.save()>>> p.save()
38 Model: Default ClausesModel: Default Clauses class Person(PostgreSQL):class Person(PostgreSQL): ...... clauses = dict(clauses = dict( order_by=('person_id', )order_by=('person_id', ) ))
39 PerformancePerformance ● AboutAbout 4x4x faster than SQLAlchemy.faster than SQLAlchemy. ● Just a little bit slower than pure SQL.Just a little bit slower than pure SQL.
40 SecuritySecurity ● Security by default.Security by default. ● Use escaping technique.Use escaping technique. ● Prevent SQL injection from both valuePrevent SQL injection from both value and identifier.and identifier. ● Passed the tests fromPassed the tests from sqlmapsqlmap at level=5at level=5 and risk=3.and risk=3.
41 ConclusionConclusion ● Easy-to-LearnEasy-to-Learn ● ConvenientConvenient ● FasterFaster ● SecureSecure ● sudo pip install mosqlsudo pip install mosql ● http://mosql.mosky.tw/http://mosql.mosky.tw/ ● Welcome to fork!Welcome to fork!

More Related Content

PDF
MoSQL: More than SQL, but Less than ORM @ PyCon APAC 2013
byMosky Liu
 
PDF
2986815 Normas Icontec
byHelber Sepulveda
 
PPTX
Create online games with node.js and socket.io
bygrrd01
 
PDF
Beyond Breakpoints: Advanced Debugging with XCode
byAijaz Ansari
 
PDF
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 
PDF
The Ring programming language version 1.5.2 book - Part 43 of 181
byMahmoud Samir Fayed
 
PDF
How to lose your database and your job
byRyan Gooler
 
PDF
SQLAlchemy Seminar
byYury Yurevich
 
MoSQL: More than SQL, but Less than ORM @ PyCon APAC 2013
byMosky Liu
 
2986815 Normas Icontec
byHelber Sepulveda
 
Create online games with node.js and socket.io
bygrrd01
 
Beyond Breakpoints: Advanced Debugging with XCode
byAijaz Ansari
 
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 
The Ring programming language version 1.5.2 book - Part 43 of 181
byMahmoud Samir Fayed
 
How to lose your database and your job
byRyan Gooler
 
SQLAlchemy Seminar
byYury Yurevich
 

What's hot

PDF
Slaying the Dragon: Implementing a Programming Language in Ruby
byJason Yeo Jie Shun
 
PDF
The Ring programming language version 1.6 book - Part 46 of 189
byMahmoud Samir Fayed
 
PDF
A comparison between C# and Java
byAli MasudianPour
 
PDF
Speeding up Red Team engagements with carnivorall
byNullbyte Security Conference
 
KEY
Mongoose v3 :: The Future is Bright
byaaronheckmann
 
RTF
Gg chat
byWi'ne Abareles
 
TXT
R57.Php
byguest63876e
 
TXT
Nop2
byguestea6d59
 
PDF
WordPress Security: Be a Superhero - WordCamp Raleigh - May 2011
byJohn Ford
 
PDF
Removing structural duplication
byAlexandru Bolboaca
 
DOCX
Wwe Management System
byNeerajMudgal1
 
PDF
Solr integration in Magento Enterprise
byTobias Zander
 
PPTX
FRP: What does "declarative" mean
byPeter Ovchinnikov
 
PDF
Clean code
byiamAnaCortes
 
PDF
JDD 2017: Performance tests with Gatling (Andrzej Ludwikowski)
byPROIDEA
 
PDF
Mgd08 lab01
byHock Leng PUAH
 
KEY
Potential Friend Finder
byRichard Schneeman
 
PPTX
Nantes Jug - Java 7
bySébastien Prunier
 
PDF
파이썬 플라스크로 배우는 웹프로그래밍 #4 (ABCD)
by성일 한
 
KEY
Shellwords
byKevin Munc
 
Slaying the Dragon: Implementing a Programming Language in Ruby
byJason Yeo Jie Shun
 
The Ring programming language version 1.6 book - Part 46 of 189
byMahmoud Samir Fayed
 
A comparison between C# and Java
byAli MasudianPour
 
Speeding up Red Team engagements with carnivorall
byNullbyte Security Conference
 
Mongoose v3 :: The Future is Bright
byaaronheckmann
 
Gg chat
byWi'ne Abareles
 
R57.Php
byguest63876e
 
Nop2
byguestea6d59
 
WordPress Security: Be a Superhero - WordCamp Raleigh - May 2011
byJohn Ford
 
Removing structural duplication
byAlexandru Bolboaca
 
Wwe Management System
byNeerajMudgal1
 
Solr integration in Magento Enterprise
byTobias Zander
 
FRP: What does "declarative" mean
byPeter Ovchinnikov
 
Clean code
byiamAnaCortes
 
JDD 2017: Performance tests with Gatling (Andrzej Ludwikowski)
byPROIDEA
 
Mgd08 lab01
byHock Leng PUAH
 
Potential Friend Finder
byRichard Schneeman
 
Nantes Jug - Java 7
bySébastien Prunier
 
파이썬 플라스크로 배우는 웹프로그래밍 #4 (ABCD)
by성일 한
 
Shellwords
byKevin Munc
 

Similar to MoSQL: More than SQL, but less than ORM

PDF
PyCon 2010 SQLAlchemy tutorial
byjbellis
 
PDF
Programming with Python and PostgreSQL
byPeter Eisentraut
 
PPTX
Django - sql alchemy - jquery
byMohammed El Rafie Tarabay
 
PPTX
[Mas 500] Data Basics
byrahulbot
 
PPTX
Connecting and using PostgreSQL database with psycopg2 [Python 2.7]
byDinesh Neupane
 
PDF
Manipulating Data in Style with SQL
byRyan B Harvey, CSDP, CSM
 
PDF
Python postgre sql a wonderful wedding
byStéphane Wirtel
 
PPTX
PostgreSQL - It's kind've a nifty database
byBarry Jones
 
PDF
Slides python elixir
byAdel Totott
 
PPTX
Relational Database Access with Python ‘sans’ ORM
byMark Rees
 
PDF
Python and the MySQL Document Store
byJesper Wisborg Krogh
 
PPTX
Relational Database Access with Python
byMark Rees
 
PDF
ORM in Django
byHoang Nguyen
 
KEY
PostgreSQL
byReuven Lerner
 
PPTX
Rapid and Scalable Development with MongoDB, PyMongo, and Ming
byRick Copeland
 
PDF
Oleksandr Tarasenko "ORM vs GraphQL"
byFwdays
 
PDF
ORM vs GraphQL - Python fwdays 2019
byOleksandr Tarasenko
 
PDF
pandas.(to/from)_sql is simple but not fast
byUwe Korn
 
PPTX
Postgresql
byNexThoughts Technologies
 
PPTX
How Pony ORM translates Python generators to SQL queries
byponyorm
 
PyCon 2010 SQLAlchemy tutorial
byjbellis
 
Programming with Python and PostgreSQL
byPeter Eisentraut
 
Django - sql alchemy - jquery
byMohammed El Rafie Tarabay
 
[Mas 500] Data Basics
byrahulbot
 
Connecting and using PostgreSQL database with psycopg2 [Python 2.7]
byDinesh Neupane
 
Manipulating Data in Style with SQL
byRyan B Harvey, CSDP, CSM
 
Python postgre sql a wonderful wedding
byStéphane Wirtel
 
PostgreSQL - It's kind've a nifty database
byBarry Jones
 
Slides python elixir
byAdel Totott
 
Relational Database Access with Python ‘sans’ ORM
byMark Rees
 
Python and the MySQL Document Store
byJesper Wisborg Krogh
 
Relational Database Access with Python
byMark Rees
 
ORM in Django
byHoang Nguyen
 
PostgreSQL
byReuven Lerner
 
Rapid and Scalable Development with MongoDB, PyMongo, and Ming
byRick Copeland
 
Oleksandr Tarasenko "ORM vs GraphQL"
byFwdays
 
ORM vs GraphQL - Python fwdays 2019
byOleksandr Tarasenko
 
pandas.(to/from)_sql is simple but not fast
byUwe Korn
 
Postgresql
byNexThoughts Technologies
 
How Pony ORM translates Python generators to SQL queries
byponyorm
 

More from Mosky Liu

PDF
Statistical Regression With Python
byMosky Liu
 
PDF
Practicing Python 3
byMosky Liu
 
PDF
Data Science With Python
byMosky Liu
 
PDF
Hypothesis Testing With Python
byMosky Liu
 
PDF
Elegant concurrency
byMosky Liu
 
PDF
Boost Maintainability
byMosky Liu
 
PDF
Beyond the Style Guides
byMosky Liu
 
PDF
Simple Belief - Mosky @ TEDxNTUST 2015
byMosky Liu
 
PDF
Concurrency in Python
byMosky Liu
 
PDF
ZIPCodeTW: Find Taiwan ZIP Code by Address Fuzzily
byMosky Liu
 
PDF
Graph-Tool in Practice
byMosky Liu
 
PDF
Minimal MVC in JavaScript
byMosky Liu
 
PDF
Learning Git with Workflows
byMosky Liu
 
PDF
Dive into Pinkoi 2013
byMosky Liu
 
PDF
Learning Python from Data
byMosky Liu
 
PDF
Introduction to Clime
byMosky Liu
 
PDF
Programming with Python - Adv.
byMosky Liu
 
PDF
Programming with Python - Basic
byMosky Liu
 
Statistical Regression With Python
byMosky Liu
 
Practicing Python 3
byMosky Liu
 
Data Science With Python
byMosky Liu
 
Hypothesis Testing With Python
byMosky Liu
 
Elegant concurrency
byMosky Liu
 
Boost Maintainability
byMosky Liu
 
Beyond the Style Guides
byMosky Liu
 
Simple Belief - Mosky @ TEDxNTUST 2015
byMosky Liu
 
Concurrency in Python
byMosky Liu
 
ZIPCodeTW: Find Taiwan ZIP Code by Address Fuzzily
byMosky Liu
 
Graph-Tool in Practice
byMosky Liu
 
Minimal MVC in JavaScript
byMosky Liu
 
Learning Git with Workflows
byMosky Liu
 
Dive into Pinkoi 2013
byMosky Liu
 
Learning Python from Data
byMosky Liu
 
Introduction to Clime
byMosky Liu
 
Programming with Python - Adv.
byMosky Liu
 
Programming with Python - Basic
byMosky Liu
 

Recently uploaded

PDF
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
PDF
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
PPTX
Cloud_Computing_Presentation FOR BCA.pptx
bysharma79822
 
PPTX
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
PPTX
Lect 10-CCN.pptxhhhhuuggty7uyhiuyyuugguu
byp33908571
 
PDF
AI Concepts - MCP Neurons
byPhilip Schwarz
 
PDF
Efficient UrbanClap Clone Script from Zipprr
byZipprr Official
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPT
Agents in Artificial Intelligence used in RAG
byWilber Tuttleman
 
PDF
How ISO 27001 Automation Reduces Audit Effort and Improves Security Controls
bySoclyio
 
PDF
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
PPT
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
PDF
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
PDF
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 
PDF
Ready to go Zillow Clone Script from Zipprr
byZipprr Official
 
PDF
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
PPTX
Computing Adnans presentation OTHM level 3
bymashikhossain23
 
PDF
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
PDF
erp software for trading business in india.pdf
byZipERP
 
PPTX
Object Oriented Programming - Lecture 02
byAbdul Baqi Malik
 
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
Cloud_Computing_Presentation FOR BCA.pptx
bysharma79822
 
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
Lect 10-CCN.pptxhhhhuuggty7uyhiuyyuugguu
byp33908571
 
AI Concepts - MCP Neurons
byPhilip Schwarz
 
Efficient UrbanClap Clone Script from Zipprr
byZipprr Official
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
Agents in Artificial Intelligence used in RAG
byWilber Tuttleman
 
How ISO 27001 Automation Reduces Audit Effort and Improves Security Controls
bySoclyio
 
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 
Ready to go Zillow Clone Script from Zipprr
byZipprr Official
 
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
Computing Adnans presentation OTHM level 3
bymashikhossain23
 
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
erp software for trading business in india.pdf
byZipERP
 
Object Oriented Programming - Lecture 02
byAbdul Baqi Malik
 

MoSQL: More than SQL, but less than ORM

  • 1.
  • 2.
    2 More than SQL,but Less than ORMMore than SQL, but Less than ORM MoSQLMoSQL
  • 3.
    3 OutlineOutline ● Why notSQL?Why not SQL? ● Why ORM?Why ORM? ● MoSQLMoSQL – SQL BuildersSQL Builders – Model of Result SetModel of Result Set ● ConclusionConclusion
  • 4.
  • 5.
    5 SQL SyntaxSQL Syntax ●SELECT * FROM article;SELECT * FROM article; ● SELECT * FROM article LIMIT 1;SELECT * FROM article LIMIT 1; ● add “ ORDER BY created ”?add “ ORDER BY created ”? ● add “ OFFSET 10 ”?add “ OFFSET 10 ”? ● add “ GROUP BY author ”?add “ GROUP BY author ”? ● Is “ UPDATE article WHERE title='SQL' SETIs “ UPDATE article WHERE title='SQL' SET title='ORM' ” correct?title='ORM' ” correct?
  • 6.
  • 7.
    7 SQL InjectionSQL Injection ●') or '1'='1') or '1'='1 ● ' or true; --' or true; -- ● ' or 1=1; --' or 1=1; -- ● ' or 2=2; --' or 2=2; -- ● ' or 'str'='str'; --' or 'str'='str'; -- ● ……
  • 8.
    8 It may behacker friendly.It may be hacker friendly.
  • 9.
    9 SQL seems ancient,but ...SQL seems ancient, but ...
  • 10.
    10 using SQL istheusing SQL is the FASTESTFASTEST way.way.
  • 11.
  • 12.
    12 ORM SyntaxORM Syntax classUser(Base):class User(Base): __tablename__ = 'users'__tablename__ = 'users' name = Column(String)name = Column(String) fullname = Column(String)fullname = Column(String) password = Column(String)password = Column(String)
  • 13.
    13 ORM Syntax (cont.)ORMSyntax (cont.) >>> fake_user = User('fakeuser', 'Invalid',>>> fake_user = User('fakeuser', 'Invalid', '12345')'12345') >>> session.add(fake_user)>>> session.add(fake_user) >>> for row in session.query(User,>>> for row in session.query(User, User.name).all():User.name).all(): ... print row.User, row.name... print row.User, row.name
  • 14.
  • 15.
    15 SQL InjectionSQL Injection ●' or true; --' or true; -- ● ' or 1=1; --' or 1=1; -- ● ' or 1=1; #' or 1=1; # ● ' or 1=1; /*' or 1=1; /* ● ') or '1'='1') or '1'='1 ● …… ● SaferSafer
  • 16.
  • 17.
    17 ORM seems modern,but ...ORM seems modern, but ...
  • 18.
    18 the most ofORMs are SLOW.the most of ORMs are SLOW.
  • 19.
    19 SQL < ______< ORMSQL < ______ < ORM
  • 20.
    20 SQL < MoSQL< ORMSQL < MoSQL < ORM
  • 21.
  • 22.
    22 SQL Builders (cont.)SQLBuilders (cont.) >>> from mosql.build import *>>> from mosql.build import * >>>>>> select('pycon')select('pycon') SELECT * FROM "pycon"SELECT * FROM "pycon" >>> select('pycon',>>> select('pycon', {'id': 'mosky'}{'id': 'mosky'})) SELECT * FROM "pycon" WHERE "id" = 'mosky'SELECT * FROM "pycon" WHERE "id" = 'mosky'
  • 23.
    23 SQL Builders (cont.)SQLBuilders (cont.) >>> insert('pycon',>>> insert('pycon', {'yr': 2013, 'id': 'masky'}{'yr': 2013, 'id': 'masky'})) INSERT INTO "pycon" ("id", "yr") VALUES ('masky', 2013)INSERT INTO "pycon" ("id", "yr") VALUES ('masky', 2013) >>> update('pycon',>>> update('pycon', ...... where={'id': 'masky'}where={'id': 'masky'},, ...... set ={'id': 'mosky'}set ={'id': 'mosky'} ... )... ) UPDATE "pycon" SET "id"='mosky' WHERE "id" = 'masky'UPDATE "pycon" SET "id"='mosky' WHERE "id" = 'masky'
  • 24.
    24 SQL Builders (cont.)SQLBuilders (cont.) ● insert(table,insert(table, setset, …), …) ● select(table,select(table, wherewhere, …), …) ● update(table,update(table, wherewhere,, setset, …), …) ● delete(table,delete(table, wherewhere, …), …) ● ......
  • 25.
    25 If you likeit,If you like it,
  • 26.
    26 sudo pip installmosqlsudo pip install mosql
  • 27.
    27 Model of ResultSetModel of Result Set
  • 28.
    28 Model: Configure ConnectionModel:Configure Connection import psycopg2.poolimport psycopg2.pool from mosql.result import Modelfrom mosql.result import Model pool = psycopg2.pool.SimpleConnectionPool(1, 5,pool = psycopg2.pool.SimpleConnectionPool(1, 5, database='mosky')database='mosky') class PostgreSQL(Model):class PostgreSQL(Model): getconn = pool.getconngetconn = pool.getconn putconn = pool.putconnputconn = pool.putconn
  • 29.
    29 Model: Set theName of TableModel: Set the Name of Table class Person(PostgreSQL):class Person(PostgreSQL): table = 'person'table = 'person' >>> Person.select(>>> Person.select({'person_id': 'mosky'}{'person_id': 'mosky'})) {'name': ['Mosky Liu'], 'person_id': ['mosky']}{'name': ['Mosky Liu'], 'person_id': ['mosky']} >>> Person.where(person_id=>>> Person.where(person_id=('andy', 'mosky')('andy', 'mosky'))) {'name': ['Andy Warhol', 'Mosky Liu'], 'person_id':{'name': ['Andy Warhol', 'Mosky Liu'], 'person_id': ['andy', 'mosky']}['andy', 'mosky']}
  • 30.
    30 Model: Make QueriesModel:Make Queries Person.Person.selectselect({'person_id': 'mosky'})({'person_id': 'mosky'}) Person.Person.insertinsert({'person_id': 'tina'})({'person_id': 'tina'}) Person.Person.updateupdate(( where={'person_id': 'mosky'},where={'person_id': 'mosky'}, set ={'name' : 'Yiyu Liu'}set ={'name' : 'Yiyu Liu'} )) Person.Person.deletedelete({'person_id': 'tina'})({'person_id': 'tina'})
  • 31.
    31 Model: Squash ColumnsModel:Squash Columns class Person(PostgreSQL):class Person(PostgreSQL): table = 'person'table = 'person' squashed = set(['person_id', 'name'])squashed = set(['person_id', 'name']) >>> Person.select({'person_id': 'mosky'})>>> Person.select({'person_id': 'mosky'}) {'name':{'name': 'Mosky Liu''Mosky Liu', 'person_id':, 'person_id': 'mosky''mosky'}} >>> Person.where(person_id=('andy', 'mosky'))>>> Person.where(person_id=('andy', 'mosky')) {'name':{'name': 'Andy Warhol''Andy Warhol', 'person_id':, 'person_id': 'andy''andy'}}
  • 32.
    32 Model: ArrangeModel: Arrange classPerson(PostgreSQL):class Person(PostgreSQL): ...... arrange_by = ('person_id', )arrange_by = ('person_id', ) >>> for person in Person.arrange(>>> for person in Person.arrange({'person_id':{'person_id': ('andy', 'mosky')}('andy', 'mosky')}):): ... print person... print person {'name': 'Andy Warhol', 'person_id': 'andy'}{'name': 'Andy Warhol', 'person_id': 'andy'} {'name': 'Mosky Liu', 'person_id': 'mosky'}{'name': 'Mosky Liu', 'person_id': 'mosky'}
  • 33.
    33 Model: Arrange (cont.)Model:Arrange (cont.) >>> for detail in>>> for detail in DetailDetail.arrange({'person_id':.arrange({'person_id': ('mosky', 'andy')}):('mosky', 'andy')}): ... print detail... print detail ...... {'detail_id': [5],{'detail_id': [5], 'key': 'email','key': 'email', 'person_id': 'andy','person_id': 'andy', 'val': ['andy@gmail.com']}'val': ['andy@gmail.com']} ......
  • 34.
    34 Model: FindModel: Find classPerson(PostgreSQL):class Person(PostgreSQL): ...... arrange_by = ('person_id', )arrange_by = ('person_id', ) >>> for person in Person.>>> for person in Person.findfind((person_id=('andy',person_id=('andy', 'mosky')'mosky')):): ... print person... print person {'name': 'Andy Warhol', 'person_id': 'andy'}{'name': 'Andy Warhol', 'person_id': 'andy'} {'name': 'Mosky Liu', 'person_id': 'mosky'}{'name': 'Mosky Liu', 'person_id': 'mosky'}
  • 35.
    35 Model: Identify aRowModel: Identify a Row class Person(PostgreSQL):class Person(PostgreSQL): ...... ident_by = ('person_id', )ident_by = ('person_id', )
  • 36.
    36 Model: ModificationModel: Modification >>>p = Person.where(person_id='mosky')>>> p = Person.where(person_id='mosky') >>>>>> p['name'] = 'Yiyu Liu'p['name'] = 'Yiyu Liu' >>>>>> p.name = 'Yiyu Liu'p.name = 'Yiyu Liu' >>> p.save()>>> p.save() >>> d =>>> d = DetailDetail.where(.where(person_id='mosky', key='email'person_id='mosky', key='email')) >>>>>> p['val'][0] = '<modified email>'p['val'][0] = '<modified email>' >>>>>> p.val[0] = '<modified email>'p.val[0] = '<modified email>' >>> p.save()>>> p.save()
  • 37.
    37 Model: Pop andAppendModel: Pop and Append >>> d = Detail.where(>>> d = Detail.where(person_id='mosky', key='email'person_id='mosky', key='email')) >>>>>> p.pop(-1)p.pop(-1) >>>>>> p.append({'val': '<new mail>'})p.append({'val': '<new mail>'}) >>> p.save()>>> p.save()
  • 38.
    38 Model: Default ClausesModel:Default Clauses class Person(PostgreSQL):class Person(PostgreSQL): ...... clauses = dict(clauses = dict( order_by=('person_id', )order_by=('person_id', ) ))
  • 39.
    39 PerformancePerformance ● AboutAbout 4x4x fasterthan SQLAlchemy.faster than SQLAlchemy. ● Just a little bit slower than pure SQL.Just a little bit slower than pure SQL.
  • 40.
    40 SecuritySecurity ● Security bydefault.Security by default. ● Use escaping technique.Use escaping technique. ● Prevent SQL injection from both valuePrevent SQL injection from both value and identifier.and identifier. ● Passed the tests fromPassed the tests from sqlmapsqlmap at level=5at level=5 and risk=3.and risk=3.
  • 41.
    41 ConclusionConclusion ● Easy-to-LearnEasy-to-Learn ● ConvenientConvenient ●FasterFaster ● SecureSecure ● sudo pip install mosqlsudo pip install mosql ● http://mosql.mosky.tw/http://mosql.mosky.tw/ ● Welcome to fork!Welcome to fork!