def create_venue_comment(venue_shortname): venue_shortname = super_sanitize_str(venue_shortname) result = None ratingval_errmsg = None #Sanitize and check fields request_commentFname = sanitize_str(request.form['commentFname']) request_commentText = sanitize_str(request.form['commentText']) userbrowser = sanitize_str(request.headers.get("User-Agent")) try: int(request.form['venueid']) #Cheap way to make sure venueid is an integer if int(request.form['ratingval']) == 0: #TODO: Instead of checking just 0, need to check all rating types ratingval_errmsg = "Please select a star!" return json.dumps({"status":"ERR","errmsg":ratingval_errmsg}) except Exception as e: applog.critical("SECURITY: Potential sql injection attemp. Unexpected type received when trying to insert rating value") applog.critical("SECURITY: Exception: %s" % str(e)) ratingval_errmsg = "Whoa! We got a weird value. Admins have been notified." return json.dumps({"status":"ERR","errmsg":ratingval_errmsg}) #Attempt insert if len(request.form['commentText'].strip()) > 0: result = db.insert_venue_user_rating_w_comment(request.form['venueid'], request.form['ratingval'], escape_str(request_commentText), userfname=escape_str(request_commentFname), userip = request.remote_addr, userbrowser = userbrowser) else: result = db.insert_venue_user_rating(request.form['venueid'], request.form['ratingval'], userip = request.remote_addr, userbrowser = userbrowser) if result: if appconf.autotweet: tweet = {"f_name":request_commentFname, "ratingval": request.form['ratingval'], "text":request_commentText, "venue_shortname":venue_shortname} applog.debug("Queueing Tweet: %s" % tweet) tweetQueue.put(tweet) resp = make_response(json.dumps({"status":"OK"})) resp.set_cookie('user-rated-%s' % request.form['venueid'], "true") return resp return json.dumps({"status":"ERR"})
def contact(): if request.method == 'POST': #Verify Feedbacktyp code feedbacktypcd = super_sanitize_str(request.form["feedbacktypcd"]) feedbacktypcd_errmsg = "Invalid type passed. Admins have been notified." for typ in db.feedback_types: if typ['feedbacktypcd'] == feedbacktypcd: feedbacktypcd_errmsg = None if feedbacktypcd_errmsg: applog.critical("Possible SQL Injection attack. Invalid value: %s passed to contact form" % feedbacktypcd) #Verify UserFeedbackText userFeedbackText = sanitize_str(request.form["userFeedbackText"]) userFeedbackText_errmsg = None if userFeedbackText.strip() == "": userFeedbackText_errmsg = "You forgot to provide us with some feedback!" #Verify User email userEmail = sanitize_str(request.form["userEmail"]) userEmail_errmsg = None #TODO: Validate email if userEmail.strip() != "": if "@" not in userEmail or "." not in userEmail: userEmail_errmsg = "Invalid email format" elif len(userEmail) > 200: #Shorten email so that when the field in the template is populated we're not #passing back and forth huge chunks of data which could be a possible DoS attack userEmail = userEmail[0:200] userEmail_errmsg = "Whoa! Way too long of an email. Max 200 chars." if feedbacktypcd_errmsg or userFeedbackText_errmsg or userEmail_errmsg: applog.debug("Error inserting feedback") return render_template('contact.html', feedback_types=db.feedback_types, userEmail=userEmail, userEmail_errmsg=userEmail_errmsg, userFeedbackText=userFeedbackText, userFeedbackText_errmsg=userFeedbackText_errmsg, feedbacktypcd=feedbacktypcd, feedbacktypcd_errmsg=feedbacktypcd_errmsg) else: applog.debug("Inserting Feedback") result = db.insert_feedback(feedbacktypcd, userFeedbackText[0:1999], userEmail) if result != 0: applog.debug("Feedback inserted successfully") return render_template('contact.html', feedback_types=db.feedback_types, insert_success=True) else: applog.critical("Unable to insert feedback. db.insert_feedback call returned 0") return render_template('contact.html', feedback_types=db.feedback_types, userEmail=userEmail, userFeedbackText=userFeedbackText, feedbacktypcd=feedbacktypcd, insert_failure=True) return render_template('contact.html', feedback_types=db.feedback_types)