Part V — Application Integration
"A database does not live alone. It lives behind an application — and the seam between your code and your data is where some of the most expensive bugs and the most dangerous security holes are born."
So far you have worked with the database directly, through psql and SQL. But in the real world a database almost always sits behind application code: a web server, a data pipeline, an analytics job. Part V is about that boundary — how to cross it correctly, efficiently, and safely. It is the most code-heavy part of the book, and it is where Python finally joins SQL as a working partner.
This part also confronts the uncomfortable truth that the seam between application and database is where security goes to die. SQL injection — still, decades later, one of the most common and most devastating web vulnerabilities — lives precisely here, and you will learn not just what it is but how a single habit (parameterized queries) eliminates it completely.
What you will learn
- Chapter 29 — Connecting Applications. Connecting Python to PostgreSQL with
psycopg2: connection management and pooling, executing queries from code, always-parameterized queries (never string concatenation), handling results, transactions from application code, and the repository pattern. - Chapter 30 — ORMs & SQLAlchemy. What an object-relational mapper does and doesn't do: SQLAlchemy Core vs. ORM, defining models and relationships, the infamous N+1 query problem, eager vs. lazy loading, and the central lesson — an ORM is a convenience, not a substitute for knowing SQL.
- Chapter 31 — Bulk Data & ETL. Moving data at scale:
COPY(orders of magnitude faster than row-by-rowINSERT), bulk loading and unloading, import/export formats, staging tables, and the foundations of ETL/ELT pipelines — loading Mercado's 100K-row dataset the fast way. - Chapter 32 — Database Security. SQL injection and how parameterized queries prevent it; PostgreSQL roles and privileges (
GRANT/REVOKE); row-level security; encryption in transit and at rest; backup/restore; audit logging; and the data-privacy implications (GDPR) of how you design and access data.
Why this part matters
Two themes converge here. SQL is a language you must still know even when an ORM is writing it for you — Chapter 30 shows exactly what goes wrong when developers treat the ORM as a black box (hello, N+1). And understanding the WHY turns security from a checklist into instinct: once you understand why injection works, you will never again build a query by gluing strings together, and once you understand why COPY is fast, you will never load a million rows with a million INSERTs.
For every learning path
💻 Developers should treat this entire part as core — this is the daily reality of building applications on a database. 🏗️ DBAs will focus on Chapters 31 and 32 (bulk operations, security, backup). 📊 Analysts and data scientists will get the most from Chapters 29 and 31 — connecting from Python and moving data efficiently is the bridge between SQL and pandas. 🔬 CS students should not treat security (Chapter 32) as optional; it is among the most important professional knowledge in the book.
The progressive project takes a big step forward here: your database stops being something you query by hand and becomes the backing store of a real application. Let's connect the two worlds.
Chapters in This Part
- Chapter 29: Connecting Applications to Databases — Python, psycopg2, and Access Patterns
- Chapter 30: ORMs — SQLAlchemy, Object-Relational Mapping, and When Abstraction Helps vs. Hides
- Chapter 31: Bulk Data Operations and ETL Foundations — COPY, Loading, and Moving Data at Scale
- Chapter 32: Database Security — SQL Injection, Access Control, Encryption, and Protecting Your Data