feat: add stagingquery quickstart for purchases

[tchow-zlai]

Summary

Checklist

• Added Unit Tests
• Covered by existing CI
• Integration tested
• Documentation update

Summary by CodeRabbit

• New Features
  • Introduced a new query to retrieve purchase records with date range filtering.
  • Enhanced data retrieval by including additional contextual metadata for improved insights.

[coderabbitai]

Walkthrough

A new SQL query is introduced in the purchases module to retrieve purchase data from the database. The query, defined as a multi-line string, selects specific fields from the data.purchases table using placeholders for a date range. Additionally, a StagingQuery object is created with a fixed startPartition date ("2023-10-31") and associated metadata (query name and output namespace).

Changes

File Path	Change Summary
api/py/test/.../quickstart/purchases.py	Added a multi-line SQL query for purchase data retrieval; introduced a StagingQuery object with a fixed startPartition and associated MetaData.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application
    participant SQ as StagingQuery
    participant DB as Database

    App->>SQ: Request purchase data (date range)
    SQ->>DB: Execute SQL query with placeholders
    DB-->>SQ: Return queried data
    SQ-->>App: Deliver purchase results

Loading

Suggested reviewers

• varant-zlai
• piyush-zlai
• nikhil-zlai
• david-zlai

Poem

In code's quiet realm, a query is born,
Staging data at the break of dawn.
SQL strings weave a tale so bright,
With metadata shining through the night.
Cheers to code that makes data dance with delight! 🎉

Warning

Review ran into problems

🔥 Problems

GitHub Actions and Pipeline Checks: Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#list-workflow-runs-for-a-repository.

Please grant the required permissions to the CodeRabbit GitHub App under the organization or repository settings.

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 2010a0b and 97d9870.

📒 Files selected for processing (1)

• api/py/test/sample/group_bys/quickstart/purchases.py (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: non_spark_tests
• GitHub Check: enforce_triggered_workflows

🔇 Additional comments (1)

api/py/test/sample/group_bys/quickstart/purchases.py (1)

18-18: LGTM!

Clean import of required types.

[coderabbitai]

🛠️ Refactor suggestion

Avoid hard-coded dates.

Make startPartition configurable.

-    startPartition="2023-10-31",
+    startPartition=config.get('STAGING_START_DATE'),

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	staging_query = StagingQuery(
	query=query,
	startPartition="2023-10-31",
	metaData=MetaData(
	name='purchases_staging_query',
	outputNamespace="data"
	)
	)
	staging_query = StagingQuery(
	query=query,
	startPartition=config.get('STAGING_START_DATE'),
	metaData=MetaData(
	name='purchases_staging_query',
	outputNamespace="data"
	)
	)

[coderabbitai]

💡 Verification agent

⚠️ Potential issue

🧩 Analysis chain

Add SQL injection protection.

Template variables need proper escaping.

---

🌐 Web query:

What are the best practices for preventing SQL injection in Python template strings?

💡 Result:

To prevent SQL injection when using Python template strings, follow these best practices informed by database security standards and Python-specific guidelines:

Use Parameterized Queries (Prepared Statements)

Primary defense recommended by OWASP[5] and Python security experts[1][3][4]:

# SAFE: Using query parameters
cursor.execute(
    "SELECT * FROM users WHERE username = %s AND password = %s",
    (username, password)
)

• Parameters are passed separately from SQL commands[1][4]
• Database drivers handle proper escaping automatically[3][6]
• Supported by all major Python DB APIs (psycopg2, MySQLdb, etc)[6]

Avoid String Interpolation Methods

Never use these for SQL:

# UNSAFE: f-strings[5][9]
cursor.execute(f"SELECT * FROM users WHERE username = '{username}'")

# UNSAFE: .format() or %-formatting[3][8]
query = "SELECT * FROM users WHERE username = '{}'".format(username)
cursor.execute(query)

These allow direct injection of raw SQL through user input[1][4].

Use ORM Libraries

Recommended for complex applications[3][6]:

# SAFE: SQLAlchemy example
from sqlalchemy import text
query = text("SELECT * FROM users WHERE username = :username")
result = session.execute(query, {"username": username})

ORMs provide:

• Automatic parameterization[3]
• Type-safe query construction[6]
• Database abstraction layer[3]

Validate/Sanitize Inputs When Needed

For non-parameterizable elements like table names:

# Validate against allowed values
allowed_tables = {"users", "products"}
if table_name not in allowed_tables:
    raise ValueError("Invalid table name")

# Use database-specific identifier quoting
cursor.execute(f"SELECT * FROM {identifier} WHERE id = %s", (user_id,))

Key Security Principles

1. Separation of code and data: Treat user input as values never as executable code[1][5]
2. Least privilege: Database connections should use restricted accounts[5][6]
3. Defense in depth: Combine with input validation and output encoding[2][5]

Modern Python database adapters implement RFC 5427 parameter binding standards[6], making parameterized queries both safe and efficient across PostgreSQL, MySQL, SQLite and other databases[1][4]. For dynamic SQL elements like table names, use allow-list validation rather than blacklist approaches[5][6].

Citations:

• 1: https://realpython.com/prevent-python-sql-injection/
• 2: https://www.appmarq.com/public/tqi,1021044,Avoid-Python-string-interpolations-to-prevent-SQL-injections
• 3: https://go.snyk.io/rs/677-THP-415/images/Python_Cheatsheet_whitepaper.pdf
• 4: https://help.securityjourney.com/en/articles/6719498-python-string-formatting-and-sql-injection-attacks
• 5: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
• 6: https://www.youtube.com/watch?v=1cQy9N1Xndk
• 7: https://www.edgeventures.com/kb/post/2021/09/15/python-string-formatting-and-variable-injection
• 8: https://peps.python.org/pep-0501/

---

SQL Injection Protection: Use Parameterized Queries

• Replace unsafe template interpolation with query placeholders.
• Pass date values as parameters to the execute method.
• For example, update the code to:

query = """
SELECT
    ts,
    ds,
    purchase_id,
    user_id,
    product_id,
    purchase_price
FROM data.purchases
WHERE ds BETWEEN %s AND %s
"""
cursor.execute(query, (start_date, end_date))

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

api/py/test/sample/staging_queries/quickstart/purchases.py (1)

19-29: Consider adding ORDER BY clause.

Query might benefit from explicit ordering by timestamp.

 FROM data.purchases
 WHERE ds BETWEEN '{{ start_date }}' AND '{{ end_date }}'
+ORDER BY ts ASC

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 97d9870 and 06bf7fd.

📒 Files selected for processing (1)

• api/py/test/sample/staging_queries/quickstart/purchases.py (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: non_spark_tests
• GitHub Check: enforce_triggered_workflows

🔇 Additional comments (1)

api/py/test/sample/staging_queries/quickstart/purchases.py (1)

31-38: Hardcoded date needs review.

Fixed startPartition date "2023-10-31" might need parameterization.