def create_venue_comment(venue_shortname):
venue_shortname = super_sanitize_str(venue_shortname)
result = None
ratingval_errmsg = None
#Sanitize and check fields
request_commentFname = sanitize_str(request.form['commentFname'])
request_commentText = sanitize_str(request.form['commentText'])
userbrowser = sanitize_str(request.headers.get("User-Agent"))
try:
int(request.form['venueid']) #Cheap way to make sure venueid is an integer
if int(request.form['ratingval']) == 0: #TODO: Instead of checking just 0, need to check all rating types
ratingval_errmsg = "Please select a star!"
return json.dumps({"status":"ERR","errmsg":ratingval_errmsg})
except Exception as e:
applog.critical("SECURITY: Potential sql injection attemp. Unexpected type received when trying to insert rating value")
applog.critical("SECURITY: Exception: %s" % str(e))
ratingval_errmsg = "Whoa! We got a weird value. Admins have been notified."
return json.dumps({"status":"ERR","errmsg":ratingval_errmsg})
#Attempt insert
if len(request.form['commentText'].strip()) > 0:
result = db.insert_venue_user_rating_w_comment(request.form['venueid'],
request.form['ratingval'],
escape_str(request_commentText),
userfname=escape_str(request_commentFname),
userip = request.remote_addr,
userbrowser = userbrowser)
else:
result = db.insert_venue_user_rating(request.form['venueid'],
request.form['ratingval'],
userip = request.remote_addr,
userbrowser = userbrowser)
if result:
if appconf.autotweet:
tweet = {"f_name":request_commentFname, "ratingval": request.form['ratingval'], "text":request_commentText, "venue_shortname":venue_shortname}
applog.debug("Queueing Tweet: %s" % tweet)
tweetQueue.put(tweet)
resp = make_response(json.dumps({"status":"OK"}))
resp.set_cookie('user-rated-%s' % request.form['venueid'], "true")
return resp
return json.dumps({"status":"ERR"})
def contact():
if request.method == 'POST':
#Verify Feedbacktyp code
feedbacktypcd = super_sanitize_str(request.form["feedbacktypcd"])
feedbacktypcd_errmsg = "Invalid type passed. Admins have been notified."
for typ in db.feedback_types:
if typ['feedbacktypcd'] == feedbacktypcd:
feedbacktypcd_errmsg = None
if feedbacktypcd_errmsg:
applog.critical("Possible SQL Injection attack. Invalid value: %s passed to contact form" %
feedbacktypcd)
#Verify UserFeedbackText
userFeedbackText = sanitize_str(request.form["userFeedbackText"])
userFeedbackText_errmsg = None
if userFeedbackText.strip() == "":
userFeedbackText_errmsg = "You forgot to provide us with some feedback!"
#Verify User email
userEmail = sanitize_str(request.form["userEmail"])
userEmail_errmsg = None
#TODO: Validate email
if userEmail.strip() != "":
if "@" not in userEmail or "." not in userEmail:
userEmail_errmsg = "Invalid email format"
elif len(userEmail) > 200:
#Shorten email so that when the field in the template is populated we're not
#passing back and forth huge chunks of data which could be a possible DoS attack
userEmail = userEmail[0:200]
userEmail_errmsg = "Whoa! Way too long of an email. Max 200 chars."
if feedbacktypcd_errmsg or userFeedbackText_errmsg or userEmail_errmsg:
applog.debug("Error inserting feedback")
return render_template('contact.html',
feedback_types=db.feedback_types,
userEmail=userEmail,
userEmail_errmsg=userEmail_errmsg,
userFeedbackText=userFeedbackText,
userFeedbackText_errmsg=userFeedbackText_errmsg,
feedbacktypcd=feedbacktypcd,
feedbacktypcd_errmsg=feedbacktypcd_errmsg)
else:
applog.debug("Inserting Feedback")
result = db.insert_feedback(feedbacktypcd, userFeedbackText[0:1999], userEmail)
if result != 0:
applog.debug("Feedback inserted successfully")
return render_template('contact.html',
feedback_types=db.feedback_types,
insert_success=True)
else:
applog.critical("Unable to insert feedback. db.insert_feedback call returned 0")
return render_template('contact.html',
feedback_types=db.feedback_types,
userEmail=userEmail,
userFeedbackText=userFeedbackText,
feedbacktypcd=feedbacktypcd,
insert_failure=True)
return render_template('contact.html', feedback_types=db.feedback_types)
