def index(req): sid = req.form.getfirst('sid', '') feedOrdinal = req.form.getfirst('feed_ordinal', '') feedId = req.form.getfirst('feed_id', '') feedOrdinal = int(feedOrdinal) if feedOrdinal < 0 or feedOrdinal > 6: return 'Invalid Article Number' feedOrdinal = feedOrdinal + 1 fieldName = 'feed' + str(feedOrdinal) # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() if result: # valid sid userId = result[0] sql = "UPDATE user_prefs SET %s = %s WHERE user = %s" % (fieldName, feedId, userId) logMsg(sql) cursor.execute(sql) db.commit() else: logMsg('Logout, SID NOT FOUND --->' + sid) return 'Invalid Request' return 'OK'
def index(req): sid = req.form.getfirst('sid', '') # connect to database #db = MySQLdb.connect(host='localhost', db='meyenews', user='******', passwd='w00t') db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() if result: # valid sid sql = "DELETE FROM session WHERE id = %s" % (result[0]) cursor.execute(sql) db.commit() logMsg('Logout, SID Removed --->' + sid) else: logMsg('Logout, SID NOT FOUND --->' + sid) return 'OK'
def index(req): sid = req.form.getfirst('sid', '') returnString = 'Invalid SID' file = req.form.getfirst('file', '') # connect to database db = MySQLdb.connect(host='localhost', db=getMyCfg('db_name'), user=getMyCfg('db_user'), passwd=getMyCfg('db_pw')) sql = "SELECT user_id FROM session WHERE session = '%s'" % (db.escape_string(sid)) cursor = db.cursor() cursor.execute(sql) result = cursor.fetchone() #if result: if True: # valid sid #userId = result[0] #returnString = 'UserID=' + str(userId) filepath = "/home/ken/sites/meyenews/user_photos/" # A nested Field object holds the file fileitem = req.form['file'] # BUG - checks missing # 1) strip leading path from file name to avoid # directory traversal attacks # 2) missing validation of sid!!! # 3) max file size check missing # 4) a file by that name al,ready exists filename = fileitem.filename fname = "%s%s" % (filepath,filename) logMsg('\nUploadFile: filename --->' + fname) # save the image data to the filesystem open(fname, 'wb').write(file.file.read()) return 'OK'