def login():
if request.method == 'GET':
return render_template("login.html")
else:
username = request.form.get("username")
password = request.form.get("password")
# ensure input was entered
if not username or not password:
return apology("You must enter a username and password")
# query database for username
user = Users.query.filter_by(username=username).first()
# ensure username exists
if not user:
return apology("You must enter a valid username")
# ensure password is correct
inputHash = md5(password.encode()).hexdigest()
if inputHash != user.password:
return apology("You must enter a valid password")
# create user session to remember user
session["user_id"] = user.id
return redirect("/")
def upload():
if request.method == "GET":
return render_template("upload.html")
else:
# check if the post request has the file part
if 'file' not in request.files:
flash('No file part')
return redirect(request.url)
file = request.files['file']
# if user does not select file, browser also
# submit an empty part without filename
if file.filename == '':
flash('No selected file')
return redirect(request.url)
# not securing filename
if not request.form.get("name"):
filename = file.filename
check = allowed_file(filename)
else:
filename = request.form.get("name")
check = True
if file and check:
path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
file.save(path)
return redirect(url_for('uploaded', filename=filename))
else:
return apology("Bad file upload request. Try again.")
def secret_page():
if request.method == "GET":
return render_template("secret.html")
else:
userInput = request.form.get("query")
# ensure user has input something
if not userInput:
return apology("You must enter a username")
# check for username in database
result = db.engine.execute(
f"SELECT * FROM users WHERE username='******'")
# in order to use the data it must be fetched from the ResultProxy object
rows = result.fetchall()
if not rows:
return apology("0 results found")
return render_template("result.html", rows=rows[0])
def flag_check():
if request.method == "GET":
return render_template("flag.html")
else:
# hashed flag to prevent cheating
flagHash = 'pbkdf2:sha256:50000$lZnnfd9Y$22a7c6d699b1021aa862b8fa6712d9608044dd2c036c64053efea48c8b321cf8'
if not check_password_hash(flagHash, request.form.get("flag")):
return apology(
"The flag you entered is not correct. You can't guess it.")
else:
return render_template("game_over.html")
def errorhandler(e):
"""Handle error"""
if not isinstance(e, HTTPException):
e = InternalServerError()
return apology(e.name, e.code)