def index(req): sid = req.form.getfirst('sid', '') feedOrdinal = req.form.getfirst('feed_ordinal', '') feedId = req.form.getfirst('feed_id', '') feedOrdinal = int(feedOrdinal) if feedOrdinal < 0 or feedOrdinal > 6: return 'Invalid Article Number' feedOrdinal = feedOrdinal + 1 fieldName = 'feed' + str(feedOrdinal) # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() if result: # valid sid userId = result[0] sql = "UPDATE user_prefs SET %s = %s WHERE user = %s" % (fieldName, feedId, userId) logMsg(sql) cursor.execute(sql) db.commit() else: logMsg('Logout, SID NOT FOUND --->' + sid) return 'Invalid Request' return 'OK'
def index(req): email = req.form.getfirst('email', '') password = req.form.getfirst('pw', '') displayName = 'Guest' returnString = validateInputData(req) if returnString == '': # we know we have valid data at this point. # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT id, display_name FROM user WHERE email = '%s' AND password = '******'" % (db.escape_string(email), password) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() if result: userId = result[0] displayName = result[1] # valid login, we have display name # first see if this user already has # an active session and if so use it session = getSidForUserName(cursor, displayName) if session == '': # if necessary we create a new session for this user newSid = createSessionForUserName(db, cursor, displayName, userId) returnString = "OK|%s|%s" % (newSid, displayName) else: returnString = "OK|%s|%s" % (session, displayName) else: returnString = 'Error - Invalid Login!' return returnString
def index(req): # these are the field names # I expect from the form. formFields = ['name', 'type', 'url', 'category', 'author', 'image_name'] sessionId = req.form.getfirst('sid', '') # get user id based on session id here userId = str(1) returnString = validateInputData(req) #logMsg('CreateDataSource validate response = ' + returnString); if returnString == '': # we know we have valid data at this point. # we use db names for form field names # to remove the need for translation # this is just done for speed of prototyping! sqlFieldNames = "INSERT INTO data_source (" sqlFieldValues = " VALUES (" for field in formFields: fieldValue = req.form.getfirst(field, '') # Escape the user input to avoid script injection attacks fieldValue = escape(fieldValue) # Add the field to the sql strings sqlFieldNames = sqlFieldNames + field + "," sqlFieldValues = sqlFieldValues + "'" + fieldValue + "'," imagePath = "'user_photos/'" sqlFieldNames = sqlFieldNames + 'image_path, created_by, created_date, last_updated_by, last_updated_date)' sqlFieldValues = sqlFieldValues + imagePath + ", " + userId + ", NOW(), " + userId + ", NOW())" finalSql = sqlFieldNames + sqlFieldValues #logMsg(finalSql) # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) cursor = db.cursor() cursor.execute(finalSql) db.commit() data_source_id = cursor.lastrowid returnString = "Id:%s" % (data_source_id) return returnString
def index(req): sessionId = req.form.getfirst('sid', '') #logMsg('get prefs called for sid ' + sessionId); # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) cursor = db.cursor() # could get everything with a fancy # join but will take a shortcut here sql = "SELECT up.feed1, up.feed2, up.feed3, up.feed4, up.feed5, up.feed6, up.feed7 FROM user_prefs up JOIN session s ON (s.user_id = up.user) WHERE s.session = '%s'" % (sessionId) cursor.execute(sql) result = cursor.fetchone() feedList = "" orderArray = [] if not result: # if error feedList = "('1', '2', '3', '4', '5', '6', '7')" orderArray = ['1', '2', '3', '4', '5', '6', '7'] else: feedList = "('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (result[0], result[1],result[2],result[3],result[4],result[5],result[6]) orderArray = [result[0], result[1],result[2],result[3],result[4],result[5],result[6]] sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id) WHERE ds.id IN " + feedList cursor.execute(sql) index = 0 orderedResults = [1,2,3,4,5,6,7] results = cursor.fetchall() for result in results: feedId = str(result[0]) offsets = getOrdinalForFeedId(feedId, orderArray) for offset in offsets: tmpObj = {feedId:{'feedName':result[1], 'feedType':str(result[2]), 'feedUrl':result[3], 'feedCategory':result[4], 'feedAuthor':result[5], 'feedImageName':result[6], 'feedImagePath':result[7]}} orderedResults[offset] = tmpObj returnString = "userPrefDataSources = " + str(orderedResults) + ";" #logMsg('get prefs returns --->' + returnString); return returnString
def index(req): sid = req.form.getfirst('sid', '') # connect to database #db = MySQLdb.connect(host='localhost', db='meyenews', user='******', passwd='w00t') db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() if result: # valid sid sql = "DELETE FROM session WHERE id = %s" % (result[0]) cursor.execute(sql) db.commit() logMsg('Logout, SID Removed --->' + sid) else: logMsg('Logout, SID NOT FOUND --->' + sid) return 'OK'
def index(req): sid = req.form.getfirst('sid', '') returnString = 'Invalid SID' file = req.form.getfirst('file', '') # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() #if result: if True: # valid sid #userId = result[0] #returnString = 'UserID=' + str(userId) filepath = "/home/ken/sites/meyenews/user_photos/" # A nested Field object holds the file fileitem = req.form['file'] # BUG - checks missing # 1) strip leading path from file name to avoid # directory traversal attacks # 2) missing validation of sid!!! # 3) max file size check missing # 4) a file by that name al,ready exists filename = fileitem.filename fname = "%s%s" % (filepath,filename) logMsg('\nUploadFile: filename --->' + fname) # save the image data to the filesystem open(fname, 'wb').write(file.file.read()) return 'OK'
def index(req): sessionId = req.form.getfirst('sid', '') # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) cursor = db.cursor() sql = "SELECT ds.id, ds.name, ds.type, ds.url, c.name, ds.author, ds.image_name, ds.image_path FROM data_source ds JOIN category c ON (ds.category = c.id)" cursor.execute(sql) returnString = "globalDataSources = { " results = cursor.fetchall() for result in results: tmpString = "'%s':{'feedName':'%s', 'feedType':'%s', 'feedUrl':'%s', 'feedCategory':'%s', 'feedAuthor':'%s', 'feedImageName':'%s', 'feedImagePath':'%s'}," % (result[0], result[1], result[2], result[3], result[4], result[5], result[6], result[7]) returnString = returnString + tmpString returnString = returnString[:-1] returnString = returnString + " };" #logMsg(returnString); return returnString
def validateInputData(req): # TODO type is valid across domain table # non-db type validations - input data values # verify we have a valid user ID sessionId = req.form.getfirst('sid', '') if len(sessionId) < 5: return 'Error - invalid session' name = req.form.getfirst('name', '') if len(name) < 2: return 'Error - invalid name' url = req.form.getfirst('url', '') if len(url) < 2: return 'Error - invalid url' category = req.form.getfirst('category', '') # all input data is valid so now we need to do # some semantic validation thisUserId = 0 # first make sure category exists db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) cursor = db.cursor() sql = "SELECT id FROM category WHERE id = '%s'" % (category) cursor.execute(sql) result = cursor.fetchone() if not result: return 'Error - invalid category' # next make sure this is the only feed # by this name for this category sql = "SELECT id FROM data_source WHERE name = '%s' AND category = '%s'" % (name, category) cursor.execute(sql) result = cursor.fetchone() if result: return 'Error - a data source by name this already exists in this category' sql = "SELECT user_id FROM session WHERE session = '%s'" % (sessionId) cursor.execute(sql) result = cursor.fetchone() if not result: return 'Error - invalid user' else: thisUserId = result[0] # finally make sure this name + url are unique sql = "SELECT category FROM data_source WHERE name = '%s' AND url = '%s'" % (name, url) cursor.execute(sql) result = cursor.fetchone() if result: return 'Error - a data source with this name and url already exists in category:' + str(result[0]) # otherwise request passes validation return ''