def create_item():
description = request.form.get('description')
price = request.form.get('price')
product_name = request.form.get('product_name')
product_brand = request.form.get('product_brand')
supplier = request.form.get('supplier')
quantity = request.form.get('quantity')
category_id = request.form.get('category_id')
seller_ssn = request.form.get('seller_ssn')
images = request.form.get('images')
if price is None or product_name is None or product_brand is None or supplier is None or quantity is None or category_id is None or seller_ssn is None:
response = jsonify({'error': 'Not enough parameters'})
response.status_code = 400
return response
db = connection.get_db()
cursor = db.cursor()
cursor.execute(
'INSERT INTO item VALUES (NULL, %s, %s, %s, %s, NOW(), NOW(), %s, %s, %s, %s)',
[
description, price, product_name, product_brand, supplier,
quantity, category_id, seller_ssn
])
item_id = cursor.lastrowid
if images is not None:
images = images.split('|||')
for image in images:
if len(image) > 0:
cursor.execute('INSERT INTO item_image VALUES (%s, %s)',
[item_id, image])
db.commit()
return jsonify({'status': 'OK'})
def register():
firstname = request.form.get('firstname')
lastname = request.form.get('lastname')
username = request.form.get('username')
password = request.form.get('password')
email = request.form.get('email')
phone = request.form.get('phone')
ssn = request.form.get('ssn')
description = request.form.get('description')
if not firstname or not lastname or not username or not password or not ssn or not description or not phone or not email:
return 'Bad request paramaters', 400
db = connection.get_db()
cursor = db.cursor()
now = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
cursor.execute(
'INSERT INTO seller VALUES (%s, %s, %s, %s, %s, %s, %s, %s)', [
ssn, firstname, lastname, description, now, now, username,
bcrypt.hashpw(password.encode(), bcrypt.gensalt())
])
db.commit()
cursor = db.cursor()
cursor.execute('INSERT INTO seller_email VALUES (%s, %s)', [ssn, email])
cursor.execute('INSERT INTO seller_phone VALUES (%s, %s)', [ssn, phone])
db.commit()
return 'OK'
def login():
print(request.get_json())
username = request.form.get('username')
password = request.form.get('password')
print(username, password)
if not username or not password:
return 'Bad request paramaters', 400
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM seller WHERE username = %s', [username])
row = cursor.fetchone()
if not row:
return 'user not found', 404
user = row_to_dict(cursor.description, row)
if bcrypt.checkpw(password.encode(), user['password_hash'].encode()):
return jsonify({
'accessToken':
jwt.encode(
{
'ssn': user['ssn'],
'username': user['username'],
'firstname': user['firstname'],
'lastname': user['lastname']
},
JWT_SECRET,
algorithm='HS256')
})
return 'Bad username/password', 400
def edit_item():
item_id = request.form.get('id')
description = request.form.get('description')
price = request.form.get('price')
product_name = request.form.get('product_name')
product_brand = request.form.get('product_brand')
supplier = request.form.get('supplier')
quantity = request.form.get('quantity')
category_id = request.form.get('category_id')
seller_ssn = request.form.get('seller_ssn')
images = request.form.get('images')
if item_id is None:
response = jsonify({'error': 'Not enough parameters'})
response.status_code = 400
return response
cols = []
data = []
if description is not None:
cols.append('description')
data.append(description)
if price is not None:
cols.append('price')
data.append(price)
if product_name is not None:
cols.append('product_name')
data.append(product_name)
if product_brand is not None:
cols.append('product_brand')
data.append(product_brand)
if supplier is not None:
cols.append('supplier')
data.append(supplier)
if quantity is not None:
cols.append('quantity')
data.append(quantity)
if category_id is not None:
cols.append('category_id')
data.append(category_id)
if seller_ssn is not None:
cols.append('seller_ssn')
data.append(seller_ssn)
db = connection.get_db()
cursor = db.cursor()
# For SQL Injection
sql = 'UPDATE item SET time_updated=NOW()' + ''.join(
[', ' + e + f'="{data[i]}"'
for i, e in enumerate(cols)]) + f" WHERE id = {item_id}"
print(sql)
injection.execute(sql)
# cursor.execute('UPDATE item SET time_updated=NOW()' + ''.join([', ' + e + '=%s' for e in cols]) + ' WHERE id = %s',data + [item_id])
if images is not None:
images = images.split('|||')
cursor.execute('DELETE FROM item_image WHERE item_id = %s', [item_id])
for image in images:
if len(image) > 0:
cursor.execute('INSERT INTO item_image VALUES (%s, %s)',
[item_id, image])
db.commit()
return jsonify({'status': 'OK'})
def get_all_category():
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM category')
rows = cursor.fetchall()
if not rows:
return 'Not found', 404
return jsonify(rows_to_dict_list(cursor.description, rows))
def get_category():
category_id = request.args.get('id')
if not category_id:
return 'Bad request', 400
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM category where id = %s', [category_id])
row = cursor.fetchone()
if not row:
return 'Not found', 404
return jsonify(row_to_dict(cursor.description, row))
def get_item():
item_id = request.args.get('id')
if item_id is None:
return 'Bad request', 400
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM item WHERE id = %s', [item_id])
row = cursor.fetchone()
if row is None:
return 'Not found', 404
result = row_to_dict(cursor.description, row)
cursor.execute('SELECT image_url FROM item_image WHERE item_id = %s',
[item_id])
rows = cursor.fetchall()
result['images'] = [e[0] for e in rows]
return jsonify(result)
def delete_item():
item_id = request.form.get('id')
if item_id is None:
data = str(request.data, 'utf-8').split('=')
try:
index = data.index('id')
item_id = data[index + 1]
except:
response = jsonify({'error': 'Invalid request'})
response.status_code = 400
return response
db = connection.get_db()
cursor = db.cursor()
cursor.execute('DELETE FROM item WHERE id = %s', [item_id])
db.commit()
return jsonify({'status': 'OK'})
def get_seller_items():
seller_ssn = request.args.get('ssn')
if seller_ssn is None:
response = jsonify({'error': 'Invalid request'})
response.status_code = 400
return response
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM item WHERE seller_ssn = %s', [seller_ssn])
rows = cursor.fetchall()
result = rows_to_dict_list(cursor.description, rows)
for item in result:
cursor.execute('SELECT image_url FROM item_image WHERE item_id = %s',
[item['id']])
rows = cursor.fetchall()
item['images'] = [e[0] for e in rows]
return jsonify(result)
def get_sellers():
db = connection.get_db()
cursor = db.cursor()
cursor.execute('SELECT * FROM seller')
rows = cursor.fetchall()
return jsonify(rows_to_dict_list(cursor.description, rows))
def test_db_handler():
db = connection.get_db()
if db.is_connected():
return 'Database connected'
return 'Cannot connect to database'
