Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent sql injection
  • Loading branch information
mapoor authored and mapoor committed Dec 30, 2014
1 parent 3d93109 commit b290c21
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 19 deletions.
26 changes: 12 additions & 14 deletions app.py
Expand Up @@ -36,17 +36,15 @@ def create_poll():
try:
cursor = conn.cursor()
uid = request.remote_addr
import pdb
pdb.set_trace()
vid = str(int(time.time()*100))
title, optn, l_dsc = parse_req()
optdsc = '|'.join(l_dsc)
optnum = '|'.join(['0']*optn)
sql = "insert into t_vote_info(FUid, FVoteId, FTitle, FOptionNum, \
FOptionDesc, FOptionVoteNum, FState, FCreateTime, FEndTime) \
values(\"%s\",\"%s\",\"%s\",%d,\"%s\",\"%s\",0,now(),now()+interval 1 day);"
values(%s,%s,%s,%s,%s,%s,0,now(),now()+interval 1 day);"
param = (uid, vid, title, optn, optdsc, optnum)
res = cursor.execute(sql%param)
res = cursor.execute(sql, param)
conn.commit()
cursor.close()
except Exception,e:
Expand All @@ -58,8 +56,8 @@ def do_poll():
if "p_id" in request.args:
p_id = request.args['p_id']
cursor = conn.cursor()
sql_s = "select FTitle, FOptionDesc from t_vote_info where FVoteId=%s;"%p_id
res = cursor.execute(sql_s)
sql_s = "select FTitle, FOptionDesc from t_vote_info where FVoteId=%s;"
res = cursor.execute(sql_s, (p_id,))
r = cursor.fetchone()
cursor.close()
title = r[0]
Expand All @@ -75,13 +73,13 @@ def do_poll():
p_id = request.form['p_id']
try:
cursor = conn.cursor()
sql_s = "select FOptionVoteNum from t_vote_info where FVoteId=%s;"%p_id
res = cursor.execute(sql_s)
sql_s = "select FOptionVoteNum from t_vote_info where FVoteId=%s;"
res = cursor.execute(sql_s, (p_id,))
opt_pre = cursor.fetchone()[0].split('|')
opt_pre[o_id] = str(int(opt_pre[o_id])+1)
opt_new = '|'.join(opt_pre)
sql_u = "update t_vote_info set FOptionVoteNum=\"%s\" where FVoteId=\"%s\";"%(opt_new,p_id)
res = cursor.execute(sql_u)
sql_u = "update t_vote_info set FOptionVoteNum=%s where FVoteId=%s;"
res = cursor.execute(sql_u, (opt_new,p_id))
conn.commit()
cursor.close()
except Exception,e:
Expand All @@ -98,8 +96,8 @@ def show_poll():
rows = []
try:
cursor = conn.cursor()
sql_s = "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t_vote_info where FVoteId=%s;"%p_id
res = cursor.execute(sql_s)
sql_s = "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t_vote_info where FVoteId=%s;"
res = cursor.execute(sql_s, (p_id,))
r = cursor.fetchone()
cursor.close()
title = r[0]
Expand All @@ -121,8 +119,8 @@ def show_refresh():
rows = []
try:
cursor = conn.cursor()
sql_s = "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t_vote_info where FVoteId=%s;"%p_id
res = cursor.execute(sql_s)
sql_s = "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t_vote_info where FVoteId=%s;"
res = cursor.execute(sql_s, (p_id,))
r = cursor.fetchone()
cursor.close()
title = r[0]
Expand Down
11 changes: 6 additions & 5 deletions templates/show.html
Expand Up @@ -25,7 +25,7 @@
{label: "{{ item[0] }}", value: {{ item[1] }}, color:"{{ item[2] }}"},
{% endfor %}
];
var myPieChart = new Chart(ctx).Pie(data,{animationSteps: 60});
var pie_chart = new Chart(ctx).Pie(data,{animationSteps: 60});

function diff_rows(old_, new_){
n_o = old_.length;
Expand All @@ -45,7 +45,7 @@

timeout = [3,4,6,9,14,22,35,56,90,145];
idx_timeout = 0;
function refresh(myChart){
function refresh(){
var p_id = location.search.substring(1).split('=')[1];
var p_ajax = {
type: "POST",
Expand All @@ -57,11 +57,12 @@
rows = d.rows;
if (diff_rows(data, rows) == 1){
data = rows;
myChart.destroy();
myPieChart = new Chart(ctx).Pie(data,{animation: false});
pie_chart.destroy();
pie_chart = new Chart(ctx).Pie(data,{animation: false});
this.ret = 1;
}
this.ret = 0;
else
this.ret = 0;
},
error: function(e,b,c){
alert("ajax error function.");
Expand Down

0 comments on commit b290c21

Please sign in to comment.