Ejemplo n.º 1
0
def change_parent(node, new_parent):
    with AbstractDatabaseConnection('amazingco.db') as conn:
        # archiving the old parent-descendant pair
        sql_statement = "UPDATE node SET is_current = 0 WHERE name = '{}' AND is_current = 1;".format(
            node)
        cursor = conn.cursor()
        cursor.execute(sql_statement)
        # gather info about new parent node (root node, height)
        new_parent_statement = "SELECT root_name, height FROM node WHERE name = '{}'".format(
            new_parent)
        cursor = conn.cursor()
        qresult = cursor.execute(new_parent_statement)
        if (qresult):
            for r in cursor.fetchall():
                root_node = r[0]
                new_height = int(r[1]) + 1
                # insert new parent-descentdant node pair
                insert_statement = "INSERT INTO node(name, parent_name, root_name, height) VALUES ('{}', '{}', '{}', {})".format(
                    node, new_parent, root_node, new_height)
                cursor = conn.cursor()
                cursor.execute(insert_statement)
                conn.commit()
                return True
        else:
            return False
Ejemplo n.º 2
0
Archivo: api.py Proyecto: mdulin2/SMC2
def session():
    """
	Checks for a valid session. 
	If the session is valid, a flag is returned. 
	Otherwise, return a 404. 
	
	Parameters: None 
	Expects a session token set as a cookie. 
	"""
    with AbstractDatabaseConnection('login.db') as conn:
        cursor = conn.cursor()
        session = request.cookies.get('session')
        if (session == None):
            return build_result([], 403)

        # Checks to see if this is a valid session
        cursor.execute("""
		SELECT * 
		FROM session as s
		WHERE s.session = '%s'
		""" % (session))

        # If the session is valid, then keep going.
        # Otherwise, exit.
        if (len(cursor.fetchall()) == 0):
            return build_result("False :(", 400)

        return build_result("flg{sqli_is_lit!}", 200)
Ejemplo n.º 3
0
def delete_tables():

	with AbstractDatabaseConnection('library.db') as conn:
		cursor = conn.cursor()
		cursor.execute("""DROP TABLE IF EXISTS author""")
		cursor.execute("""DROP TABLE IF EXISTS books""")
		cursor.execute("""DROP TABLE IF EXISTS library""")
		cursor.execute("""DROP TABLE IF EXISTS secret""")
		conn.commit()
Ejemplo n.º 4
0
def seed():
    """
    Insert sample data to tables in the database.
    """
    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        for ins in insert_statements:
            cursor.execute(insert_statements[ins])
        conn.commit()
Ejemplo n.º 5
0
def create_tables():
    """
    Creates all tables in the database.
    """
    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        for cs in create_statements:
            cursor.execute(create_statements[cs])
        conn.commit()
Ejemplo n.º 6
0
Archivo: api.py Proyecto: mdulin2/SMC2
def get_library():
    """
    Gets all library information and further information

    Returns:
        Response message with HTTP code.
    """
    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        cursor.execute("SELECT * FROM library where book_id = 1")
        result = cursor.fetchall()
        return build_result(result, 200)
Ejemplo n.º 7
0
Archivo: api.py Proyecto: mdulin2/SMC2
def get_books():
    """
    Gets all books and further information

    Returns:
        Response message with HTTP code.
    """
    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        cursor.execute("SELECT * FROM books")
        # Build into a comma delimited string.
        result = cursor.fetchall()
        return build_result(result, 200)
Ejemplo n.º 8
0
Archivo: api.py Proyecto: mdulin2/SMC2
def login_call():
    """
	Does the login process
	If valid login, a cookie is set for the session 
	Otherwise,
	
	Parameters: Username, Password 
	Returns:
		Response message with HTTP code.
	"""
    with AbstractDatabaseConnection('login.db') as conn:
        cursor = conn.cursor()

        username = request.args.get('username')
        password = request.args.get('password')

        # Check for the login in a secure way :)
        # This is where the vulnerability is at.
        query = """
		SELECT * 
		FROM login 
		WHERE username = '******' 
		  AND password = '******'; 
		""" % (username, password)

        # Catches all errors and prints the query out.
        try:
            cursor.execute(query)
        except:
            return build_result("Error...Query" + query.replace('\n', ''),
                                400), 400

        # Handles the authorization; correct versus incorrect.
        result = cursor.fetchall()
        if (len(result) == 0):
            return build_result("Wrong!...Query: " + query, 403), 403
        else:

            # Get a safe and secure token for the session
            session = secrets.token_urlsafe(120)

            # Set the session
            cursor.execute("""
			INSERT INTO session(session)
			VALUES ('%s')
			""" % session)
            conn.commit()

            return build_result("flg{sqli_is_super_fun!}", 200), 200
Ejemplo n.º 9
0
Archivo: api.py Proyecto: mdulin2/SMC2
def books_by_author():
    """
    Gets all the books by a given author. 
	Takes a parameter: "name" as input

    Returns:
        Response message with HTTP code.
    """

    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        cursor.execute("""
        SELECT b.title
        FROM author as a, books as b
		WHERE a.author_id = b.author_id AND a.name = '%s'
        """ % request.args.get('name'))

        result = cursor.fetchall()
        return build_result(result, 200)
Ejemplo n.º 10
0
def get_descendant(parent_node):
    """
    Get a row from the specified table with given row id.

    Args:
        table_name: a valid table in the database.
        row_id: a valid row of said table.
    Returns:
        A row from the database.
    """
    with AbstractDatabaseConnection('amazingco.db') as conn:
        column = "parent_name"
        sql_statement = "SELECT name FROM node WHERE {} = '{}' AND is_current = 1;".format(
            column, parent_node)
        cursor = conn.cursor()
        rows_count = cursor.execute(sql_statement)
        if (rows_count):
            result = ', '.join([r[0] for r in cursor.fetchall()])
            return result
        else:
            return None
Ejemplo n.º 11
0
Archivo: api.py Proyecto: mdulin2/SMC2
def checkin_book():
    """
    Given a books serial number, check out the book.
	Takes a parameter: "book_id" as input
    Returns:
        Response message with HTTP code.
    """
    with AbstractDatabaseConnection('library.db') as conn:
        cursor = conn.cursor()
        cursor.execute("""
        UPDATE library 
        SET 
            checked_out = 0
        WHERE 
            book_id = %s
        """ % request.args.get('book_id'))

        # Build into a comma delimited string.
        conn.commit()
        result = cursor.fetchall()
        return build_result(result, 200)
Ejemplo n.º 12
0
def test():
	with AbstractDatabaseConnection('library.db') as conn:
		cursor = conn.cursor()
		conn.commit()
		cursor.execute("""UPDATE library SET checked_out = 1 WHERE book_id = 1;""") 
Ejemplo n.º 13
0
def delete_tables():

	with AbstractDatabaseConnection('login.db') as conn:
		cursor = conn.cursor()
		cursor.execute("""DROP TABLE login""")
		conn.commit()