Exemple #1
0
def index(req):
  sid = req.form.getfirst('sid', '')
  feedOrdinal = req.form.getfirst('feed_ordinal', '')
  feedId = req.form.getfirst('feed_id', '')

  feedOrdinal = int(feedOrdinal)
  if feedOrdinal < 0 or feedOrdinal > 6:
    return 'Invalid Article Number'

  feedOrdinal = feedOrdinal + 1
  fieldName = 'feed' + str(feedOrdinal)

  # connect to database
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

  sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))

  cursor = db.cursor()
  cursor.execute(sql)
  result = cursor.fetchone()
  if result:
    # valid sid
    userId = result[0]
    sql = "UPDATE user_prefs SET %s = %s WHERE user = %s" % (fieldName, feedId, userId)
    logMsg(sql)
    cursor.execute(sql)
    db.commit()
  else:
    logMsg('Logout, SID NOT FOUND --->' + sid)
    return 'Invalid Request'

  return 'OK'
Exemple #2
0
def index(req):
  email = req.form.getfirst('email', '')
  password = req.form.getfirst('pw', '')
  displayName = 'Guest'

  returnString = validateInputData(req)

  if returnString == '':
    # we know we have valid data at this point.

    # connect to database
    db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

    sql = "SELECT id, display_name FROM user WHERE email = '%s' AND password = '******'" % (db.escape_string(email), password)

    cursor = db.cursor()
    cursor.execute(sql)
    result = cursor.fetchone()
    if result:
      userId = result[0]
      displayName = result[1]
      # valid login, we have display name 
      # first see if this user already has 
      # an active session and if so use it
      session = getSidForUserName(cursor, displayName)
      if session == '':
        # if necessary we create a new session for this user
        newSid = createSessionForUserName(db, cursor, displayName, userId)
        returnString = "OK|%s|%s" % (newSid, displayName)
      else:
        returnString = "OK|%s|%s" % (session, displayName)
    else:
      returnString = 'Error - Invalid Login!'

  return returnString
def index(req):
  # these are the field names 
  # I expect from the form. 
  formFields = ['name', 'type', 'url', 'category', 'author', 'image_name']

  sessionId = req.form.getfirst('sid', '')
  # get user id based on session id here
  userId = str(1)

  returnString = validateInputData(req)

  #logMsg('CreateDataSource validate response = ' + returnString);

  if returnString == '':
    # we know we have valid data at this point.

    # we use db names for form field names 
    # to remove the need for translation
    # this is just done for speed of prototyping!
    sqlFieldNames = "INSERT INTO data_source ("
    sqlFieldValues = " VALUES ("
    for field in formFields:
      fieldValue = req.form.getfirst(field, '')
      # Escape the user input to avoid script injection attacks
      fieldValue = escape(fieldValue)
      # Add the field to the sql strings
      sqlFieldNames = sqlFieldNames + field + ","
      sqlFieldValues = sqlFieldValues + "'" + fieldValue + "',"

    imagePath = "'user_photos/'"
    sqlFieldNames = sqlFieldNames + 'image_path, created_by, created_date, last_updated_by, last_updated_date)'
    sqlFieldValues = sqlFieldValues + imagePath + ", " + userId + ", NOW(), " + userId + ", NOW())"

    finalSql = sqlFieldNames + sqlFieldValues

    #logMsg(finalSql)

    # connect to database
    db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

    cursor = db.cursor()
    cursor.execute(finalSql)
    db.commit()
    data_source_id = cursor.lastrowid
    returnString = "Id:%s" % (data_source_id)

  return returnString
Exemple #4
0
def index(req):
  sessionId = req.form.getfirst('sid', '')

  #logMsg('get prefs called for sid ' + sessionId);

  # connect to database
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))
  cursor = db.cursor()

  # could get everything with a fancy 
  # join but will take a shortcut here
  sql = "SELECT up.feed1, up.feed2, up.feed3, up.feed4, up.feed5, up.feed6, up.feed7 FROM user_prefs up JOIN session s ON (s.user_id = up.user) WHERE s.session = '%s'" % (sessionId)

  cursor.execute(sql)
  result = cursor.fetchone()
  feedList = ""
  orderArray = []
  if not result:
    # if error 
    feedList = "('1', '2', '3', '4', '5', '6', '7')"
    orderArray = ['1', '2', '3', '4', '5', '6', '7']
  else:
    feedList = "('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (result[0], result[1],result[2],result[3],result[4],result[5],result[6])
    orderArray = [result[0], result[1],result[2],result[3],result[4],result[5],result[6]]

  sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id) WHERE ds.id IN " + feedList

  cursor.execute(sql)
  index = 0
  orderedResults = [1,2,3,4,5,6,7]
  results = cursor.fetchall()
  for result in results:
    feedId = str(result[0])
    offsets = getOrdinalForFeedId(feedId, orderArray)

    for offset in offsets:
      tmpObj = {feedId:{'feedName':result[1], 'feedType':str(result[2]), 'feedUrl':result[3], 'feedCategory':result[4], 'feedAuthor':result[5], 'feedImageName':result[6], 'feedImagePath':result[7]}}
      orderedResults[offset] = tmpObj

  returnString = "userPrefDataSources = " + str(orderedResults) + ";"

  #logMsg('get prefs returns --->' + returnString);

  return returnString
Exemple #5
0
def index(req):
  sid = req.form.getfirst('sid', '')

  # connect to database
  #db = MySQLdb.connect(host='localhost', db='meyenews', user='******', passwd='w00t')
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

  sql = "SELECT id FROM session WHERE session = '%s'" % (db.escape_string(sid))

  cursor = db.cursor()
  cursor.execute(sql)
  result = cursor.fetchone()
  if result:
    # valid sid
    sql = "DELETE FROM session WHERE id = %s" % (result[0])
    cursor.execute(sql)
    db.commit()
    logMsg('Logout, SID Removed --->' + sid)
  else:
    logMsg('Logout, SID NOT FOUND --->' + sid)

  return 'OK'
def index(req):
  sid = req.form.getfirst('sid', '')
  returnString = 'Invalid SID'
  file = req.form.getfirst('file', '')

  # connect to database
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

  sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid))

  cursor = db.cursor()
  cursor.execute(sql)
  result = cursor.fetchone()

  #if result:
  if True:
    # valid sid
    #userId = result[0]
    #returnString = 'UserID=' + str(userId)
    filepath = "/home/ken/sites/meyenews/user_photos/"

    # A nested Field object holds the file
    fileitem = req.form['file']

    # BUG - checks missing
    # 1) strip leading path from file name to avoid 
    # directory traversal attacks 
    # 2) missing validation of sid!!!
    # 3) max file size check missing
    # 4) a file by that name al,ready exists

    filename = fileitem.filename
    fname = "%s%s" % (filepath,filename)
    logMsg('\nUploadFile: filename --->' + fname)

    # save the image data to the filesystem
    open(fname, 'wb').write(file.file.read())

  return 'OK'
def index(req):
  sessionId = req.form.getfirst('sid', '')

  # connect to database
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

  cursor = db.cursor()
  sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id)"
  cursor.execute(sql)

  returnString = "globalDataSources = { "

  results = cursor.fetchall()
  for result in results:
    tmpString = "'%s':{'feedName':'%s', 'feedType':'%s', 'feedUrl':'%s', 'feedCategory':'%s', 'feedAuthor':'%s', 'feedImageName':'%s', 'feedImagePath':'%s'}," % (result[0], result[1], result[2], result[3], result[4], result[5], result[6], result[7])

    returnString = returnString + tmpString

  returnString = returnString[:-1]
  returnString = returnString + " };"

  #logMsg(returnString);

  return returnString
def validateInputData(req):
  # TODO type is valid across domain table

  # non-db type validations - input data values

  # verify we have a valid user ID
  sessionId = req.form.getfirst('sid', '')
  if len(sessionId) < 5:
    return 'Error - invalid session'

  name = req.form.getfirst('name', '')
  if len(name) < 2:
    return 'Error - invalid name'

  url = req.form.getfirst('url', '')
  if len(url) < 2:
    return 'Error - invalid url'

  category = req.form.getfirst('category', '')

  # all input data is valid so now we need to do
  # some semantic validation
  thisUserId = 0

  # first make sure category exists
  db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw'))

  cursor = db.cursor()

  sql = "SELECT id FROM category WHERE id = '%s'" % (category)
  cursor.execute(sql)
  result = cursor.fetchone()
  if not result:
    return 'Error - invalid category'

  # next make sure this is the only feed 
  # by this name for this category
  sql = "SELECT id FROM data_source WHERE name = '%s' AND category = '%s'" % (name, category)
  cursor.execute(sql)
  result = cursor.fetchone()
  if result:
    return 'Error - a data source by name this already exists in this category'

  sql = "SELECT user_id FROM session WHERE session = '%s'" % (sessionId)
  cursor.execute(sql)
  result = cursor.fetchone()
  if not result:
    return 'Error - invalid user'
  else:
    thisUserId = result[0]

  # finally make sure this name + url are unique
  sql = "SELECT category FROM data_source WHERE name = '%s' AND url = '%s'" % (name, url)
  cursor.execute(sql)
  result = cursor.fetchone()
  if result:
    return 'Error - a data source with this name and url already exists in category:' + str(result[0])

  # otherwise request passes validation

  return ''