« back to all changes in this revision
Viewing changes to www/common/db.py
- browse files at revision 373
- compare with another revision
- compare with revision 553
- download diff
- download tarball
- view history from revision 373
- Committer: mattgiuca
- Date: 2008-02-01 06:42:06 UTC
- Revision ID: svn-v3-trunk0:2b9c9e99-6f39-0410-b283-7f802c844ae2:trunk:373
db.py: Did some research on PGSQL string literals. Added E' to the front of
string escapes. (For reasons explained in comments, with a link).
I think this is now sanitized correctly. Obviously should test more.
Was able to add little Bobby Tables to the db ;)
Added update_user function.
string escapes. (For reasons explained in comments, with a link).
I think this is now sanitized correctly. Obviously should test more.
Was able to add little Bobby Tables to the db ;)
Added update_user function.
- files modified:
- www/common/db.py
added
removed
www/common/db.py
39
39
"""Wrapper around pg.escape_string. Escapes the string for use in SQL, and
40
40
also quotes it to make sure that every string used in a query is quoted.
41
41
"""
42
return "'" + pg.escape_string(str) + "'"
42
# "E'" is postgres's way of making "escape" strings.
43
# Such strings allow backslashes to escape things. Since escape_string
44
# converts a single backslash into two backslashes, it needs to be fed
45
# into E mode.
46
# Ref: http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html
47
# WARNING: PostgreSQL-specific code
48
return "E'" + pg.escape_string(str) + "'"
49
50
def _passhash(password):
51
return md5.md5(password).hexdigest()
43
52
44
53
class DB:
45
54
"""An IVLE database object. This object provides an interface to
55
64
self.db = pg.connect(dbname=conf.db_dbname, host=conf.db_host,
56
65
port=conf.db_port, user=conf.db_user, passwd=conf.db_password)
57
66
58
@staticmethod
59
def _passhash(password):
60
return md5.md5(password).hexdigest()
67
# USER MANAGEMENT FUNCTIONS #
61
68
62
69
def create_user(self, login, password, nick, fullname, rolenm, studentid,
63
70
dry=False):
66
73
The exception is "password", which is a cleartext password. makeuser
67
74
will hash the password.
68
75
"""
69
passhash = DB._passhash(password)
76
passhash = _passhash(password)
70
77
query = ("INSERT INTO login (login, passhash, nick, fullname, "
71
78
"rolenm, studentid) VALUES (%s, %s, %s, %s, %s, %s);" %
72
79
(_escape(login), _escape(passhash), _escape(nick),
74
81
if dry: return query
75
82
self.db.query(query)
76
83
84
def update_user(self, login, new_password=None, new_nick=None,
85
new_fullname=None, new_rolenm=None, dry=False):
86
"""Updates fields of a particular user. login is the name of the user
87
to update. The other arguments are optional fields which may be
88
modified. If None or omitted, they do not get modified. login and
89
studentid may not be modified."""
90
# Make a list of SQL fragments of the form "field = 'new value'"
91
# These fragments are ALREADY-ESCAPED
92
setlist = []
93
if new_password is not None:
94
setlist.append("passhash = " + _escape(_passhash(new_password)))
95
if new_nick is not None:
96
setlist.append("nick = " + _escape(new_nick))
97
if new_fullname is not None:
98
setlist.append("fullname = " + _escape(new_fullname))
99
if new_rolenm is not None:
100
setlist.append("rolenm = " + _escape(new_rolenm))
101
if len(setlist) == 0:
102
return
103
# Join the fragments into a comma-separated string
104
setstring = ', '.join(setlist)
105
# Build the whole query as an UPDATE statement
106
query = ("UPDATE login SET %s WHERE login = %s;"
107
% (setstring, _escape(login)))
108
if dry: return query
109
self.db.query(query)
110
77
111
def drop_user(self, login, dry=False):
78
112
"""Deletes a user login entry from the database."""
79
113
query = "DELETE FROM login WHERE login = %s;" % _escape(login)
Loggerhead is a web-based interface for Breezy
Version: 2.0.1