Create components to handle SQL injection tutorial

2025-11-04 11:52:54 +00:00 · 2017-11-27 18:52:34 +01:00
parent b1159d6c3e
commit e0b3064513
2 changed files with 55 additions and 1 deletions
--- a/src/components/init.py
+++ b/src/components/init.py
--- a/src/components/component_example.py
+++ b/src/components/component_example.py
@@ -1,8 +1,12 @@
 import codecs
+import sqlite3

+import source_code
 from component import Component
+from stateful_component import StatefulComponent
 from tornado.ioloop import IOLoop

+from login_component import authorize_login


 def echo_handler(data):
@@ -24,9 +28,59 @@ def reverse_handler(data, *args):
    return data


+def login_handler(data, component):
+    email, password = data['data']['email'], data['data']['password']
+    try:
+        sql_statement = source_code.find_local_variable_value(authorize_login, 'sql_statement')
+        yield (
+            'anchor_logger',
+            'The SQL statement executed by the server will look like this:\n `{}`'.format(sql_statement)
+        )
+
+        yield ('anchor_webide',
+               source_code.get_source_code(authorize_login, strip_comments=False))
+
+        sql_statement_with_values = sql_statement.format(email, password)
+        yield (
+            'anchor_logger',
+            'After the submitted parameters are substituted it looks like this:\n `{}`'.format(
+                sql_statement_with_values
+            )
+        )
+
+        logged_in_email, is_admin = authorize_login(email, password)
+
+        yield (
+            'anchor_logger',
+            'After the query is executed, it returns _{}_ as email address, and _{}_ for is_admin'.format(
+                logged_in_email, is_admin
+            )
+        )
+
+        if logged_in_email is not None:
+            response = 'Logged in as _{}_. You __{}have__ admin privileges.'.format(
+                logged_in_email,
+                '' if is_admin else 'don\'t '
+            )
+        else:
+            response = 'Bad username/password!'
+    except sqlite3.Warning:
+        response = 'Invalid request!'
+
+    yield ('anchor_login', '# Login page\n' + response)
+
+
+def source_code_handler(data, component):
+    component.unsubscribe(data['anchor'])
+    yield (data['anchor'],
+           source_code.get_source_code(authorize_login, strip_comments=True))
+
+
 if __name__ == '__main__':
    anchor_a = Component('anchor_a', change_case_handler)
    anchor_b = Component('anchor_b', rot13_handler)
    anchor_c = Component('anchor_c', reverse_handler)
-
+    anchor_login = StatefulComponent('anchor_login', login_handler)
+    anchor_webide = StatefulComponent('anchor_webide', source_code_handler)
    IOLoop.instance().start()
+