Skip to content
Permalink
Browse files
Implemented parametrized queries for user inputs in user functionalities
  • Loading branch information
Prinex committed Nov 26, 2022
1 parent 49a7df8 commit 0e4063d3b6ee1e9cfb5ffcf5b6c6b3f1cfc9d1f1
Showing 1 changed file with 85 additions and 56 deletions.
141 app/views.py
View file
@@ -29,18 +29,19 @@ def products():
if theItem:

#We Do A Query for It
itemQry = query_db(f"SELECT * FROM product WHERE id = ?",[theItem], one=True)

#And Associated Reviews
#reviewQry = query_db("SELECT * FROM review WHERE productID = ?", [theItem])
theSQL = f"""
SELECT *
FROM review
INNER JOIN user ON review.userID = user.id
WHERE review.productID = {itemQry['id']};
"""
reviewQry = query_db(theSQL)
#itemQry = query_db(f"SELECT * FROM product WHERE id = ?",[theItem], one=True)

#--
theQry = "SELECT * FROM product WHERE id = ?"
args = (theItem)
itemQry = query_db(theQry, args, True)

theQry1 = "SELECT * FROM review INNER JOIN user ON review.userID = user.id WHERE review.productID = ?;"
# add a , becasue args parameter is a tuple, i.e., accepts tuples
args = (itemQry['id'],)
reviewQry = query_db(theQry1, args)
#--

#If there is form interaction and they put somehing in the basket
if flask.request.method == "POST":

@@ -89,9 +90,11 @@ def login():
password = flask.request.form.get("password")
app.logger.info("Attempt to login as %s:%s", user, password)

theQry = "Select * FROM User WHERE email = '{0}'".format(user)

userQry = query_db(theQry, one=True)
#--
theQry = "SELECT * FROM User WHERE email = ?"
args = (user,)
userQry = query_db(theQry, args, one=True)
#--

if userQry is None:
flask.flash("No Such User")
@@ -136,9 +139,12 @@ def create():


#Otherwise we can add the user
theQry = "Select * FROM User WHERE email = '{0}'".format(email)
userQry = query_db(theQry, one=True)

#--
theQry = "Select * FROM User WHERE email = ?"
args = (email,)
userQry = query_db(theQry, args, one=True)
#--

if userQry:
flask.flash("A User with that Email Exists")
return flask.render_template("create_account.html",
@@ -165,28 +171,32 @@ def settings(userId):
Update a users settings,
Allow them to make reviews
"""

theQry = "Select * FROM User WHERE id = '{0}'".format(userId)
thisUser = query_db(theQry, one=True)

#--
theQry = "Select * FROM User WHERE id = ?"
args = (userId,)
thisUser = query_db(theQry, args, one=True)
#--

if not thisUser:
flask.flash("No Such User")
return flask.redirect(flask.url_for("index"))

#Purchases
theSQL = f"Select * FROM purchase WHERE userID = {userId}"
purchaces = query_db(theSQL)
#--
theSQL = "SELECT * FROM purchase WHERE userID = ?"
args = (userId,)
purchaces = query_db(theSQL, args)

theSQL = """
SELECT productId, date, product.name
FROM purchase
INNER JOIN product ON purchase.productID = product.id
WHERE userID = {0};
""".format(userId)
WHERE userID = ?;
"""
args = (userId,)
purchaces = query_db(theSQL, args)
#--

purchaces = query_db(theSQL)

return flask.render_template("usersettings.html",
user = thisUser,
purchaces = purchaces)
@@ -207,9 +217,12 @@ def updateUser(userId):
"""
Process any chances from the user settings page
"""

theQry = "Select * FROM User WHERE id = '{0}'".format(userId)
#--
theQry = "Select * FROM User WHERE id = ?"
args = (userId,)
thisUser = query_db(theQry, one=True)
#--

if not thisUser:
flask.flash("No Such User")
return flask.redirect(flask_url_for("index"))
@@ -224,9 +237,12 @@ def updateUser(userId):
if current == thisUser["password"]:
app.logger.info("Password OK, update")
#Update the Password
theSQL = f"UPDATE user SET password = '{password}' WHERE id = {userId}"
#--
theSQL = "UPDATE user SET password = ? WHERE id = ?"
args = (password, userId)
app.logger.info("SQL %s", theSQL)
write_db(theSQL)
write_db(theSQL, args)
#--
flask.flash("Password Updated")

else:
@@ -266,39 +282,46 @@ def reviewItem(userId, itemId):
if reviewId:
#Update an existing oe
app.logger.info("Update Existing")

theSQL = f"""

#--
theSQL = """
UPDATE review
SET stars = {reviewStars},
review = '{reviewComment}'
SET stars = ?
review = ?
WHERE
id = {reviewId}"""

id = ?"""
args = (reviewStars, reviewComment, reviewId)
app.logger.debug("%s", theSQL)
write_db(theSQL)

write_db(theSQL, args)
#--

flask.flash("Review Updated")

else:
app.logger.info("New Review")

theSQL = f"""
#--
theSQL = """
INSERT INTO review (userId, productId, stars, review)
VALUES ({userId}, {itemId}, {reviewStars}, '{reviewComment}');
VALUES (?, ?, ?, ?);
"""

args = (userId, itemId, reviewStars, reviewComment)
app.logger.info("%s", theSQL)
write_db(theSQL)
write_db(theSQL, args)
#--

flask.flash("Review Made")

#Otherwise get the review
theQry = f"SELECT * FROM product WHERE id = {itemId};"
#--
theQry = "SELECT * FROM product WHERE id = ?;"
args = (itemId,)
item = query_db(theQry, one=True)

theQry = f"SELECT * FROM review WHERE userID = {userId} AND productID = {itemId};"
review = query_db(theQry, one=True)
theQry = "SELECT * FROM review WHERE userID = ? AND productID = ?;"
args = (userId, itemId)
review = query_db(theQry, args, one=True)
app.logger.debug("Review Exists %s", review)
#--

return flask.render_template("reviewItem.html",
item = item,
@@ -332,8 +355,11 @@ def basket():

totalPrice = 0
for key in sessionBasket:
theQry = f"SELECT * FROM product WHERE id = {key}"
theItem = query_db(theQry, one=True)
#--
theQry = "SELECT * FROM product WHERE id = ?"
args = (key,)
theItem = query_db(theQry, args, one=True)
#--
quantity = int(sessionBasket[key])
thePrice = theItem["price"] * quantity
totalPrice += thePrice
@@ -362,8 +388,11 @@ def pay():


#Fetch USer ID from Sssion
theQry = "Select * FROM User WHERE id = {0}".format(flask.session["user"])
theUser = query_db(theQry, one=True)
#--
theQry = "Select * FROM User WHERE id = ?"
args = (flask.session["user"],)
theUser = query_db(theQry, args, one=True)
#--

#Add products to the user
sessionBasket = flask.session.get("basket", None)
@@ -372,12 +401,12 @@ def pay():
for key in sessionBasket:

#As we should have a trustworthy key in the basket.
theQry = "INSERT INTO PURCHASE (userID, productID, date) VALUES ({0},{1},'{2}')".format(theUser['id'],
key,
theDate)

#--
theQry = "INSERT INTO PURCHASE (userID, productID, date) VALUES (?, ?, ?)"
args = (theUser['id'], key, theDate)
app.logger.debug(theQry)
write_db(theQry)
write_db(theQry, args, theDate)
#--

#Clear the Session
flask.session.pop("basket", None)

0 comments on commit 0e4063d

Please sign in to comment.