def index(req):
sid = req.form.getfirst('sid', '')
feedOrdinal = req.form.getfirst('feed_ordinal', '')
feedId = req.form.getfirst('feed_id', '')
feedOrdinal = int(feedOrdinal)
if feedOrdinal < 0 or feedOrdinal > 6:
return 'Invalid Article Number'
feedOrdinal = feedOrdinal + 1
fieldName = 'feed' + str(feedOrdinal)
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
if result:
# valid sid
userId = result[0]
sql = "UPDATE user_prefs SET %s = %s WHERE user = %s" % (fieldName, feedId, userId)
logMsg(sql)
cursor.execute(sql)
db.commit()
else:
logMsg('Logout, SID NOT FOUND --->' + sid)
return 'Invalid Request'
return 'OK'
def index(req):
email = req.form.getfirst('email', '')
password = req.form.getfirst('pw', '')
displayName = 'Guest'
returnString = validateInputData(req)
if returnString == '':
# we know we have valid data at this point.
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT id, display_name FROM user WHERE email = '%s' AND password = '******'" % (db.escape_string(email), password)
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
if result:
userId = result[0]
displayName = result[1]
# valid login, we have display name
# first see if this user already has
# an active session and if so use it
session = getSidForUserName(cursor, displayName)
if session == '':
# if necessary we create a new session for this user
newSid = createSessionForUserName(db, cursor, displayName, userId)
returnString = "OK|%s|%s" % (newSid, displayName)
else:
returnString = "OK|%s|%s" % (session, displayName)
else:
returnString = 'Error - Invalid Login!'
return returnString
def index(req):
# these are the field names
# I expect from the form.
formFields = ['name', 'type', 'url', 'category', 'author', 'image_name']
sessionId = req.form.getfirst('sid', '')
# get user id based on session id here
userId = str(1)
returnString = validateInputData(req)
#logMsg('CreateDataSource validate response = ' + returnString);
if returnString == '':
# we know we have valid data at this point.
# we use db names for form field names
# to remove the need for translation
# this is just done for speed of prototyping!
sqlFieldNames = "INSERT INTO data_source ("
sqlFieldValues = " VALUES ("
for field in formFields:
fieldValue = req.form.getfirst(field, '')
# Escape the user input to avoid script injection attacks
fieldValue = escape(fieldValue)
# Add the field to the sql strings
sqlFieldNames = sqlFieldNames + field + ","
sqlFieldValues = sqlFieldValues + "'" + fieldValue + "',"
imagePath = "'user_photos/'"
sqlFieldNames = sqlFieldNames + 'image_path, created_by, created_date, last_updated_by, last_updated_date)'
sqlFieldValues = sqlFieldValues + imagePath + ", " + userId + ", NOW(), " + userId + ", NOW())"
finalSql = sqlFieldNames + sqlFieldValues
#logMsg(finalSql)
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
cursor = db.cursor()
cursor.execute(finalSql)
db.commit()
data_source_id = cursor.lastrowid
returnString = "Id:%s" % (data_source_id)
return returnString
def index(req):
sessionId = req.form.getfirst('sid', '')
#logMsg('get prefs called for sid ' + sessionId);
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
cursor = db.cursor()
# could get everything with a fancy
# join but will take a shortcut here
sql = "SELECT up.feed1, up.feed2, up.feed3, up.feed4, up.feed5, up.feed6, up.feed7 FROM user_prefs up JOIN session s ON (s.user_id = up.user) WHERE s.session = '%s'" % (sessionId)
cursor.execute(sql)
result = cursor.fetchone()
feedList = ""
orderArray = []
if not result:
# if error
feedList = "('1', '2', '3', '4', '5', '6', '7')"
orderArray = ['1', '2', '3', '4', '5', '6', '7']
else:
feedList = "('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (result[0], result[1],result[2],result[3],result[4],result[5],result[6])
orderArray = [result[0], result[1],result[2],result[3],result[4],result[5],result[6]]
sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id) WHERE ds.id IN " + feedList
cursor.execute(sql)
index = 0
orderedResults = [1,2,3,4,5,6,7]
results = cursor.fetchall()
for result in results:
feedId = str(result[0])
offsets = getOrdinalForFeedId(feedId, orderArray)
for offset in offsets:
tmpObj = {feedId:{'feedName':result[1], 'feedType':str(result[2]), 'feedUrl':result[3], 'feedCategory':result[4], 'feedAuthor':result[5], 'feedImageName':result[6], 'feedImagePath':result[7]}}
orderedResults[offset] = tmpObj
returnString = "userPrefDataSources = " + str(orderedResults) + ";"
#logMsg('get prefs returns --->' + returnString);
return returnString
def index(req):
sid = req.form.getfirst('sid', '')
# connect to database
#db = MySQLdb.connect(host='localhost', db='meyenews', user='******', passwd='w00t')
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
if result:
# valid sid
sql = "DELETE FROM session WHERE id = %s" % (result[0])
cursor.execute(sql)
db.commit()
logMsg('Logout, SID Removed --->' + sid)
else:
logMsg('Logout, SID NOT FOUND --->' + sid)
return 'OK'
def index(req):
sid = req.form.getfirst('sid', '')
returnString = 'Invalid SID'
file = req.form.getfirst('file', '')
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
#if result:
if True:
# valid sid
#userId = result[0]
#returnString = 'UserID=' + str(userId)
filepath = "/home/ken/sites/meyenews/user_photos/"
# A nested Field object holds the file
fileitem = req.form['file']
# BUG - checks missing
# 1) strip leading path from file name to avoid
# directory traversal attacks
# 2) missing validation of sid!!!
# 3) max file size check missing
# 4) a file by that name al,ready exists
filename = fileitem.filename
fname = "%s%s" % (filepath,filename)
logMsg('\nUploadFile: filename --->' + fname)
# save the image data to the filesystem
open(fname, 'wb').write(file.file.read())
return 'OK'
def index(req):
sessionId = req.form.getfirst('sid', '')
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
cursor = db.cursor()
sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id)"
cursor.execute(sql)
returnString = "globalDataSources = { "
results = cursor.fetchall()
for result in results:
tmpString = "'%s':{'feedName':'%s', 'feedType':'%s', 'feedUrl':'%s', 'feedCategory':'%s', 'feedAuthor':'%s', 'feedImageName':'%s', 'feedImagePath':'%s'}," % (result[0], result[1], result[2], result[3], result[4], result[5], result[6], result[7])
returnString = returnString + tmpString
returnString = returnString[:-1]
returnString = returnString + " };"
#logMsg(returnString);
return returnString
def validateInputData(req):
# TODO type is valid across domain table
# non-db type validations - input data values
# verify we have a valid user ID
sessionId = req.form.getfirst('sid', '')
if len(sessionId) < 5:
return 'Error - invalid session'
name = req.form.getfirst('name', '')
if len(name) < 2:
return 'Error - invalid name'
url = req.form.getfirst('url', '')
if len(url) < 2:
return 'Error - invalid url'
category = req.form.getfirst('category', '')
# all input data is valid so now we need to do
# some semantic validation
thisUserId = 0
# first make sure category exists
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
cursor = db.cursor()
sql = "SELECT id FROM category WHERE id = '%s'" % (category)
cursor.execute(sql)
result = cursor.fetchone()
if not result:
return 'Error - invalid category'
# next make sure this is the only feed
# by this name for this category
sql = "SELECT id FROM data_source WHERE name = '%s' AND category = '%s'" % (name, category)
cursor.execute(sql)
result = cursor.fetchone()
if result:
return 'Error - a data source by name this already exists in this category'
sql = "SELECT user_id FROM session WHERE session = '%s'" % (sessionId)
cursor.execute(sql)
result = cursor.fetchone()
if not result:
return 'Error - invalid user'
else:
thisUserId = result[0]
# finally make sure this name + url are unique
sql = "SELECT category FROM data_source WHERE name = '%s' AND url = '%s'" % (name, url)
cursor.execute(sql)
result = cursor.fetchone()
if result:
return 'Error - a data source with this name and url already exists in category:' + str(result[0])
# otherwise request passes validation
return ''