def index(req):
sid = req.form.getfirst('sid', '')
feedOrdinal = req.form.getfirst('feed_ordinal', '')
feedId = req.form.getfirst('feed_id', '')
feedOrdinal = int(feedOrdinal)
if feedOrdinal < 0 or feedOrdinal > 6:
return 'Invalid Article Number'
feedOrdinal = feedOrdinal + 1
fieldName = 'feed' + str(feedOrdinal)
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
if result:
# valid sid
userId = result[0]
sql = "UPDATE user_prefs SET %s = %s WHERE user = %s" % (fieldName, feedId, userId)
logMsg(sql)
cursor.execute(sql)
db.commit()
else:
logMsg('Logout, SID NOT FOUND --->' + sid)
return 'Invalid Request'
return 'OK'
def index(req):
sid = req.form.getfirst('sid', '')
# connect to database
#db = MySQLdb.connect(host='localhost', db='meyenews', user='******', passwd='w00t')
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
if result:
# valid sid
sql = "DELETE FROM session WHERE id = %s" % (result[0])
cursor.execute(sql)
db.commit()
logMsg('Logout, SID Removed --->' + sid)
else:
logMsg('Logout, SID NOT FOUND --->' + sid)
return 'OK'
def index(req):
sid = req.form.getfirst('sid', '')
returnString = 'Invalid SID'
file = req.form.getfirst('file', '')
# connect to database
db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))
cursor = db.cursor()
cursor.execute(sql)
result = cursor.fetchone()
#if result:
if True:
# valid sid
#userId = result[0]
#returnString = 'UserID=' + str(userId)
filepath = "/home/ken/sites/meyenews/user_photos/"
# A nested Field object holds the file
fileitem = req.form['file']
# BUG - checks missing
# 1) strip leading path from file name to avoid
# directory traversal attacks
# 2) missing validation of sid!!!
# 3) max file size check missing
# 4) a file by that name al,ready exists
filename = fileitem.filename
fname = "%s%s" % (filepath,filename)
logMsg('\nUploadFile: filename --->' + fname)
# save the image data to the filesystem
open(fname, 'wb').write(file.file.read())
return 'OK'
