Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Jia Sen Wu - jw3675
- # Ray Mohabir - rm3887
- # Title: Please Do Not Mind The Spaghetti
- # Final Project
- import ujson as json
- import hashlib
- from flask import Flask, request, render_template, session, redirect
- from flask_bootstrap import Bootstrap
- from flaskext.mysql import MySQL
- import os
- import datetime
- import binascii
- mysql = MySQL()
- app = Flask(__name__)
- app.config['MYSQL_DATABASE_USER'] = 'dbman'
- app.config['MYSQL_DATABASE_PASSWORD'] = 'kappa'
- app.config['MYSQL_DATABASE_DB'] = 'fly'
- app.config['MYSQL_DATABASE_HOST'] = 'localhost'
- mysql.init_app(app)
- inject = "';"
- def dbsearch(num = None, dcity = None, acity = None, ddate = None, adate = None, email = None, status = False):
- ret = ""
- query = "SELECT DISTINCT flight.flight_num, flight.airline_name, departure_airport, departure_time, arrival_airport, arrival_time, status FROM flight"
- if email:
- if not session.get('type') == "staff":
- query += ", ticket, purchases"
- if session.get('type') == "agent":
- query += ", booking_agent"
- else:
- query += ", airline, airline_staff"
- if num or dcity or acity or ddate or adate or email or status:
- query += " WHERE flight.airline_name IS NOT NULL"
- if num:
- if inject in num:
- print "Warning! SQL Injection!"
- else:
- query += " AND flight.flight_num='" + num + "'"
- if dcity:
- if inject in dcity:
- print "Warning! SQL Injection!"
- else:
- query += " AND departure_airport='" + dcity + "'"
- if acity:
- if inject in acity:
- print "Warning! SQL Injection!"
- else:
- query += " AND arrival_airport='" + acity + "'"
- if ddate:
- if inject in ddate:
- print "Warning! SQL Injection!"
- else:
- query += " AND DATE(departure_time)='" + ddate + "'"
- if adate:
- if inject in adate:
- print "Warning! SQL Injection!"
- else:
- query += " AND DATE(arrival_time)='" + adate + "'"
- if status:
- query += " AND (status='Upcoming' OR status='Delayed')"
- if email:
- if session.get('type') == "agent":
- query += " AND booking_agent.email = \"" + email + "\" AND booking_agent.booking_agent_id = purchases.booking_agent_id AND purchases.ticket_id = ticket.ticket_id AND flight.flight_num = ticket.flight_num"
- elif session.get('type') == "staff":
- query += " AND airline_staff.username = \"" + email + "\" AND airline_staff.airline_name = flight.airline_name"
- else:
- query += " AND \"" + email + "\" = purchases.customer_email AND purchases.ticket_id = ticket.ticket_id AND flight.flight_num = ticket.flight_num"
- print query
- cursor = mysql.connect().cursor()
- cursor.execute(query)
- data = cursor.fetchall()
- #print data
- cursor.close()
- return data
- def airport(place):
- ret = "<option value=\"\"></option>"
- query = "SELECT DISTINCT " + place + "_airport FROM flight"
- cursor = mysql.connect().cursor()
- cursor.execute(query)
- data = cursor.fetchall()
- #print data
- for x in data:
- ret += "<option value=\"" + str(x[0]) + "\">" + str(x[0]) + "</option>"
- cursor.close()
- return ret
- @app.route('/viewflight')
- def viewflight():
- if not session.get('logged_in'):
- return redirect('/')
- cursor = mysql.connect().cursor()
- error = None
- ret1 = ""
- ret2 = ""
- customer = False
- fly = ""
- if session.get('type') == "staff":
- initial = (datetime.datetime.now() + datetime.timedelta(-30)).strftime("%Y-%m-%d")
- final = datetime.datetime.now().strftime("%Y-%m-%d")
- if request.args.get('date'):
- if inject in request.args.get('date'):
- print "Warning! SQL Injection!"
- else:
- initial = request.args.get('date')
- if request.args.get('date2'):
- if inject in request.args.get('date2'):
- print "Warning! SQL Injection!"
- else:
- final = request.args.get('date2')
- query = '''SELECT flight_num, airline_name, departure_airport, departure_time, arrival_airport, arrival_time, status
- FROM flight WHERE DATE(departure_time) BETWEEN "''' + initial + '''" AND "''' + final + '''" AND airline_name =
- (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') + '''")'''
- if request.args.get('dcity'):
- if inject in request.args.get('dcity'):
- print "Warning! SQL Injection!"
- else:
- query += " AND departure_airport='" + dcity + "'"
- if request.args.get('acity'):
- if inject in request.args.get('acity'):
- print "Warning! SQL Injection!"
- else:
- query += " AND arrival_airport='" + acity + "'"
- cursor.execute(query)
- data = cursor.fetchall()
- print data
- for x in data:
- if x[6] == "Upcoming" or x[6] == "Delayed":
- ret1 += "<tr><td><a href='?num=" + str(x[0]) + "'>" + str(x[0]) + "</a></td><td>" + str(x[1]) + "</td><td>" + str(x[2]) + "</td><td>" + str(x[3]) + \
- "</td><td>" + str(x[4]) + "</td><td>" + str(x[5]) + "</td><td>" + str(x[6]) + "</td></tr>"
- else:
- ret2 += "<tr><td><a href='?num=" + str(x[0]) + "'>" + str(x[0]) + "</a></td><td>" + str(x[1]) + "</td><td>" + str(x[2]) + "</td><td>" + str(x[3]) + \
- "</td><td>" + str(x[4]) + "</td><td>" + str(x[5]) + "</td><td>" + str(x[6]) + "</td></tr>"
- if request.args.get('num'):
- for x in xrange(0,len(data)):
- if not [item for item in data if int(request.args.get('num')) in item]:
- error = "Flight number is not in the airline."
- break
- if not error:
- query = '''SELECT customer_email FROM purchases NATURAL JOIN ticket WHERE purchases.ticket_id = ticket.ticket_id AND
- ticket.airline_name = (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''")
- AND ticket.flight_num = "''' + request.args.get('num') + '''"'''
- cursor.execute(query)
- data = cursor.fetchall()
- customer = True
- for x in data:
- fly += "<tr><td>" + str(x[0]) + "</td></tr>"
- print fly
- else:
- data = dbsearch(None, None, None, None, None, session.get('email'))
- for x in data:
- if x[6] == "Upcoming" or x[6] == "Delayed":
- ret1 += "<tr>"
- for y in x:
- ret1 += "<td>" + str(y) + "</td>"
- ret1 += "</tr>"
- else:
- ret2 += "<tr>"
- for y in x:
- ret2 += "<td>" + str(y) + "</td>"
- ret2 += "</tr>"
- cursor.close()
- return render_template('viewflight.html', error = error, search=ret1, search2=ret2, dcity=airport("departure"), acity=airport("arrival"), date=datetime.datetime.now().strftime("%Y-%m-%d"), num=request.args.get('num'), customer=fly)
- @app.route('/purchase', methods=['GET', 'POST'])
- def purchase():
- if not session.get('logged_in') or session.get('type') == "staff":
- return redirect('/')
- conn = mysql.connect()
- cursor = conn.cursor()
- error = None
- ret1 = ""
- ret2 = ""
- if request.method == 'POST':
- if (request.form['flight'] and inject in request.form['flight']):
- print "Warning! SQL Injection!"
- else:
- if session.get('type') == "agent":
- query = '''SELECT customer_email FROM ticket, flight, purchases WHERE ticket.flight_num = flight.flight_num AND
- purchases.ticket_id = ticket.ticket_id AND customer_email = "''' + request.form['email'] + '''" AND flight.flight_num = ''' + \
- request.form['flight'].split()[1]
- cursor.execute(query)
- data = cursor.fetchall()
- if data:
- error = "Customer has already purchased this flight"
- if not error:
- query = '''SELECT MAX(ticket_id) FROM ticket'''
- cursor.execute(query)
- max_ticket = int(cursor.fetchall()[0][0])+1
- query = '''INSERT INTO ticket VALUES (''' + str(max_ticket) + ''', "''' + request.form['flight'].split()[0] + '''", ''' + \
- request.form['flight'].split()[1] + ''')'''
- print request.form['flight'].split()[1]
- cursor.execute(query)
- conn.commit()
- if session.get('type') == "customer":
- query = '''INSERT INTO purchases VALUES (''' + str(max_ticket) + ''', "''' + session.get('email') + '''", NULL, "''' + \
- datetime.datetime.now().strftime("%Y-%m-%d") + '''")'''
- #print query
- cursor.execute(query)
- conn.commit()
- else:
- if (request.form['email'] and inject in request.form['email']):
- print "Warning! SQL Injection!"
- else:
- if not error:
- query = '''INSERT INTO purchases VALUES (''' + str(max_ticket) + ''', "''' + request.form['email'] + \
- '''", (SELECT booking_agent_id FROM booking_agent WHERE email ="''' + session.get('email') + '''"), "''' + \
- datetime.datetime.now().strftime("%Y-%m-%d") + '''")'''
- #print query
- try:
- cursor.execute(query)
- except Exception as e:
- print e
- error = "Customer does not exist."
- conn.commit()
- if session.get('type') == "customer":
- query = '''SELECT flight_num, airline_name, departure_airport, departure_time, arrival_airport, arrival_time, status
- FROM flight WHERE flight_num NOT IN (SELECT flight_num FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id
- AND customer_email = "''' + session.get('email') + '''")
- AND flight_num NOT IN (SELECT flight_num FROM ticket NATURAL JOIN flight NATURAL JOIN airplane GROUP BY flight_num HAVING COUNT(ticket_id) >= SUM(seats))
- AND (status='Upcoming' OR status='Delayed')'''
- cursor.execute(query)
- data1 = cursor.fetchall()
- query = '''SELECT airline_name, flight_num, price FROM flight
- WHERE flight_num NOT IN (SELECT flight_num FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id
- AND customer_email = "''' + session.get('email') + '''")
- AND flight_num NOT IN (SELECT flight_num FROM ticket NATURAL JOIN flight NATURAL JOIN airplane GROUP BY flight_num HAVING COUNT(ticket_id) >= SUM(seats))
- AND (status='Upcoming' OR status='Delayed')'''
- cursor.execute(query)
- data2 = cursor.fetchall()
- for x in data1:
- ret1 += "<tr>"
- for y in x:
- ret1 += "<td>" + str(y) + "</td>"
- ret1 += "</tr>"
- for x in data2:
- ret2 += "<option value=\"" + str(x[0]) + " " + str(x[1]) + "\">" + str(x[0]) + " Flight " + str(x[1]) + ": $" + str(x[2]) + "</option>"
- else:
- data1 = dbsearch(None, None, None, None, None, None, True)
- query = "SELECT airline_name, flight_num, price FROM flight WHERE (status = \"Upcoming\" OR status = \"Delayed\")"
- cursor = mysql.connect().cursor()
- cursor.execute(query)
- data2 = cursor.fetchall()
- for x in data1:
- ret1 += "<tr>"
- for y in x:
- ret1 += "<td>" + str(y) + "</td>"
- ret1 += "</tr>"
- for x in data2:
- ret2 += "<option value=\"" + str(x[0]) + " " + str(x[1]) + "\">" + str(x[0]) + " Flight " + str(x[1]) + ": $" + str(x[2]) + "</option>"
- cursor.close()
- return render_template('purchase.html', error=error, show=ret1, flight=ret2)
- @app.route('/commission')
- def commission():
- if not session.get('logged_in') or session.get('type') != "agent":
- return redirect('/')
- initial = (datetime.datetime.now() + datetime.timedelta(-30)).strftime("%Y-%m-%d")
- final = datetime.datetime.now().strftime("%Y-%m-%d")
- if request.args.get('date'):
- if inject in request.args.get('date'):
- print "Warning! SQL Injection!"
- else:
- initial = request.args.get('date')
- if request.args.get('date2'):
- if inject in request.args.get('date2'):
- print "Warning! SQL Injection!"
- else:
- final = request.args.get('date2')
- query = '''SELECT SUM(price), AVG(price), COUNT(price) FROM flight, ticket, purchases, booking_agent WHERE email = "''' + session.get('email') + \
- '''" AND booking_agent.booking_agent_id = purchases.booking_agent_id AND purchases.ticket_id = ticket.ticket_id
- AND ticket.flight_num = flight.flight_num AND (purchase_date BETWEEN "''' + initial + '''" AND "''' + final + '''")'''
- cursor = mysql.connect().cursor()
- cursor.execute(query)
- data = cursor.fetchall()
- #print data
- cursor.close()
- return render_template('commission.html', tcomm=format(data[0][0],'.2f'), acomm=format(data[0][1],'.2f'), ttix=data[0][2], date=initial, date2=final)
- @app.route('/flight', methods=['GET', 'POST'])
- def flight():
- if not session.get('logged_in') or session.get('type') != "staff":
- return redirect('/')
- conn = mysql.connect()
- cursor = conn.cursor()
- ret = ""
- search = ""
- if request.args.get('type'):
- redir = "flight?type=" + request.args.get('type')
- error = None
- if request.method == 'POST':
- if request.args.get('type') == "create":
- depart = datetime.datetime.strptime(request.form['ddate'] + " " + request.form['dtime'], '%Y-%m-%d %H:%M')
- arrive = datetime.datetime.strptime(request.form['adate'] + " " + request.form['atime'], '%Y-%m-%d %H:%M')
- if request.form['dairport'] == request.form['aairport']:
- error = "Departure airport and arrival airport cannot be the same."
- elif (request.form['dairport'] and inject in request.form['dairport']) or (request.form['airplane'] and inject in request.form['airplane']) or \
- (request.form['ddate'] and inject in request.form['ddate']) or (request.form['dtime'] and inject in request.form['dtime']) or \
- (request.form['aairport'] and inject in request.form['aairport']) or (request.form['adate'] and inject in request.form['adate']) or \
- (request.form['price'] and inject in request.form['price']) or (request.form['atime'] and inject in request.form['atime']):
- print "Warning! SQL Injection!"
- elif depart > arrive:
- error = "Departure time cannot be later than arrival time."
- elif request.form['dairport'] and request.form['ddate'] and request.form['dtime'] and request.form['aairport'] and request.form['adate'] and \
- request.form['atime'] and request.form['price'] and request.form['airplane']:
- query = '''SELECT status FROM flight WHERE airplane_id = ''' + request.form['airplane'] + ''' AND "''' + str(depart) + \
- '''" <= arrival_time AND "''' + str(arrive) + '''" >= departure_time'''
- #print query
- cursor.execute(query)
- data = cursor.fetchall()
- #print data
- if data:
- error = "There is already a flight for Airplane " + request.form['airplane'] + " between " + str(depart) + " and " + str(arrive) + "."
- else:
- query = '''INSERT INTO flight VALUES ((SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') + \
- '''"), (SELECT MAX(flight_num) FROM flight as f1, airline_staff WHERE username = "''' + session.get('email') + \
- '''" AND airline_staff.airline_name = f1.airline_name)+1, "''' + request.form['dairport'] + '''", "''' + request.form['ddate'] + \
- ''' ''' + request.form['dtime'] + ''':00", "''' + request.form['aairport'] + '''", "''' + request.form['adate'] + \
- ''' ''' + request.form['atime'] + ''':00", ''' + request.form['price'] + ''', "Upcoming", ''' + request.form['airplane'] + ''')'''
- print query
- cursor.execute(query)
- data = cursor.fetchall()
- conn.commit()
- error = "New flight for Airplane " + request.form['airplane'] + " between " + str(depart) + " and " + str(arrive) + " has been successfully added."
- elif request.args.get('type') == "change":
- if (request.form['status'] and inject in request.form['status']) or (request.form['airplane'] and inject in request.form['airplane']):
- print "Warning! SQL Injection!"
- else:
- query = '''UPDATE flight SET status = "''' + request.form['status'] + '''" WHERE flight_num = ''' + request.form['airplane']
- cursor.execute(query)
- data = cursor.fetchall()
- conn.commit()
- if request.args.get('type') == "create":
- ret = ""
- query = '''SELECT airplane_id, seats FROM airplane, airline_staff WHERE airline_staff.username = "''' + session.get('email') + \
- '''" AND airline_staff.airline_name = airplane.airline_name'''
- cursor.execute(query)
- data = cursor.fetchall()
- query = '''SELECT flight_num, departure_airport, departure_time, arrival_airport, arrival_time, status
- FROM flight WHERE DATE(departure_time) > "''' + (datetime.datetime.now() + datetime.timedelta(-30)).strftime("%Y-%m-%d") + '''"
- AND status != "Completed"'''
- cursor.execute(query)
- search_data = cursor.fetchall()
- for x in search_data:
- search += "<tr>"
- for y in x:
- search += "<td>" + str(y) + "</td>"
- search += "</tr>"
- for x in data:
- ret += "<option value=\"" + str(x[0]) + "\"> Airplane " + str(x[0]) + ": " + str(x[1]) + " Seats</option>"
- cursor.close()
- return render_template('flight.html', search=search, airplane=ret, dairport=airport("departure"), aairport=airport("arrival"), today=datetime.datetime.now(), error=error)
- elif request.args.get('type') == "change":
- query = '''SELECT flight_num, status FROM flight, airline_staff WHERE airline_staff.username = "''' + session.get('email') + \
- '''" AND airline_staff.airline_name = flight.airline_name AND (status='Upcoming' OR status='Delayed' OR status='In-Progress')'''
- cursor.execute(query)
- data = cursor.fetchall()
- for x in data:
- ret += "<option value=\"" + str(x[0]) + "\"> Flight " + str(x[0]) + ": " + str(x[1]) + "</option>"
- cursor.close()
- return render_template('flight.html', airplane=ret)
- else:
- cursor.close()
- return render_template('flight.html')
- @app.route('/add', methods=['GET', 'POST'])
- def add():
- if not session.get('logged_in') or session.get('type') != "staff":
- return redirect('/')
- if request.args.get('type'):
- redir = "add?type=" + request.args.get('type')
- error = None
- ret = ""
- conn = mysql.connect()
- cursor = conn.cursor()
- if request.method == 'POST':
- if request.args.get('type') == "airplane":
- if request.form['seats']:
- if inject in request.form['seats']:
- print "Warning! SQL Injection!"
- else:
- query = '''INSERT INTO airplane VALUES ((SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') + \
- '''"), (SELECT MAX(airplane_id) from airplane as a1)+1, ''' + request.form['seats'] + ''')'''
- cursor.execute(query)
- data = cursor.fetchall()
- conn.commit()
- elif request.args.get('type') == "airport":
- if request.form['name'] and request.form['city']:
- if inject in request.form['name'] or inject in request.form['city']:
- print "Warning! SQL Injection!"
- else:
- query = '''INSERT INTO airport VALUES ("''' + request.form['name'] + '''", "''' + request.form['city'] + '''")'''
- cursor.execute(query)
- data = cursor.fetchall()
- conn.commit()
- if request.args.get('type'):
- if request.args.get('type') == "airplane":
- query = '''SELECT airplane_id, seats FROM airplane, airline_staff WHERE airline_staff.username = "''' + session.get('email') + \
- '''" AND airline_staff.airline_name = airplane.airline_name'''
- cursor.execute(query)
- data = cursor.fetchall()
- elif request.args.get('type') == "airport":
- query = '''SELECT * FROM airport'''
- cursor.execute(query)
- data = cursor.fetchall()
- for x in data:
- ret += "<tr>"
- for y in x:
- ret += "<td>" + str(y) + "</td>"
- ret += "</tr>"
- cursor.close()
- return render_template('add.html', error=error, data=ret)
- else:
- cursor.close()
- return render_template('add.html')
- @app.route('/viewagent')
- def viewagent():
- if not session.get('logged_in') or session.get('type') != "staff":
- return redirect('/')
- ret1 = ""
- ret2 = ""
- cursor = mysql.connect().cursor()
- query = '''SELECT booking_agent_id, count(ticket_id) FROM purchases WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-30)).strftime("%Y-%m-%d") + '''" GROUP BY booking_agent_id ORDER BY count(ticket_id) DESC LIMIT 5'''
- cursor.execute(query)
- month_sale = cursor.fetchall()
- query = '''SELECT booking_agent_id, count(ticket_id) FROM purchases WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-365)).strftime("%Y-%m-%d") + '''" GROUP BY booking_agent_id ORDER BY count(ticket_id) DESC LIMIT 5'''
- cursor.execute(query)
- year_sale = cursor.fetchall()
- query = '''SELECT booking_agent_id, SUM(price) FROM purchases, flight, ticket WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-365)).strftime("%Y-%m-%d") + '''" AND purchases.ticket_id = ticket.ticket_id
- AND flight.flight_num = ticket.flight_num GROUP BY booking_agent_id ORDER BY SUM(price) DESC LIMIT 5'''
- cursor.execute(query)
- year_commission = cursor.fetchall()
- query = '''SELECT booking_agent_id, count(ticket_id) FROM purchases WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-30)).strftime("%Y-%m-%d") + '''" GROUP BY booking_agent_id ORDER BY booking_agent_id DESC LIMIT 5'''
- cursor.execute(query)
- all1 = cursor.fetchall()
- query = '''SELECT booking_agent_id, count(ticket_id) FROM purchases WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-365)).strftime("%Y-%m-%d") + '''" GROUP BY booking_agent_id ORDER BY booking_agent_id DESC LIMIT 5'''
- cursor.execute(query)
- all2 = cursor.fetchall()
- query = '''SELECT booking_agent_id, SUM(price) FROM purchases, flight, ticket WHERE booking_agent_id IS NOT NULL AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-365)).strftime("%Y-%m-%d") + '''" AND purchases.ticket_id = ticket.ticket_id
- AND flight.flight_num = ticket.flight_num GROUP BY booking_agent_id ORDER BY booking_agent_id DESC LIMIT 5'''
- cursor.execute(query)
- all3 = cursor.fetchall()
- for x in xrange(0,len(month_sale)):
- ret1 += "<tr><td>" + str(month_sale[x][0]) + "</td><td>" + str(month_sale[x][1]) + \
- "</td><td>" + str(year_sale[x][0]) + "</td><td>" + str(year_sale[x][1]) + \
- "</td><td>" + str(year_sale[x][0]) + "</td><td>" + str(year_commission[x][1]) + "</td></tr>"
- for x in xrange(0,len(all1)):
- ret2 += "<tr><td>" + str(all1[x][0]) + "</td><td>" + str(all1[x][1]) + \
- "</td><td>" + str(all2[x][1]) + "</td><td>" + str(all3[x][1]) + "</td></tr>"
- cursor.close()
- return render_template('viewagent.html', top=ret1, all_agent=ret2)
- @app.route('/freqcustomer')
- def freqcustomers():
- if not session.get('logged_in') or session.get('type') != "staff":
- return redirect('/')
- error = None
- ret1 = ""
- ret2 = ""
- customer = False
- cursor = mysql.connect().cursor()
- query = '''SELECT customer_email, COUNT(purchases.ticket_id) FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id AND ticket.airline_name =
- (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''") GROUP BY customer_email ORDER BY COUNT(ticket_id) DESC LIMIT 10'''
- cursor.execute(query)
- top1 = cursor.fetchall()
- query = '''SELECT customer_email, COUNT(purchases.ticket_id) FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id AND ticket.airline_name =
- (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''") AND purchase_date >= "''' + \
- (datetime.datetime.now() + datetime.timedelta(-365)).strftime("%Y-%m-%d") + '''" GROUP BY customer_email ORDER BY COUNT(ticket_id) DESC LIMIT 10'''
- cursor.execute(query)
- top2 = cursor.fetchall()
- for x in xrange(0,len(top1)):
- ret1 += "<tr><td><a href='?email=" + str(top1[x][0]) + "'>" + str(top1[x][0]) + "</a></td><td>" + str(top1[x][1]) + \
- "</td><td><a href='?email=" + str(top2[x][0]) + "'>" + str(top2[x][0]) + "</a></td><td>" + str(top2[x][1]) + "</td></tr>"
- #print request.args.get('email')
- if request.args.get('email'):
- for x in xrange(0,len(top1)):
- if not ([item for item in top1 if request.args.get('email') in item] or [item for item in top2 if request.args.get('email') in item]):
- error = "Email is not in frequent customers."
- break
- if not error:
- query = '''SELECT flight_num FROM purchases NATURAL JOIN ticket WHERE purchases.ticket_id = ticket.ticket_id AND
- ticket.airline_name = (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''")
- AND customer_email = "''' + request.args.get('email') + '''"'''
- cursor.execute(query)
- data = cursor.fetchall()
- customer = True
- for x in data:
- ret2 += "<tr><td>" + str(x[0]) + "</td></tr>"
- #print ret2
- cursor.close()
- return render_template('freqcustomer.html', top=ret1, customer=ret2, error=error, email=request.args.get('email'))
- @app.route('/report')
- def report():
- if not session.get('logged_in') or session.get('type') != "staff":
- return redirect('/')
- cursor = mysql.connect().cursor()
- initial = datetime.datetime.now() + datetime.timedelta(-30)
- final = datetime.datetime.now()
- if request.args.get('date'):
- initial = datetime.datetime.strptime(request.args.get('date'), '%Y-%m-%d')
- if request.args.get('date'):
- final = datetime.datetime.strptime(request.args.get('date2'), '%Y-%m-%d')
- query = '''SELECT COUNT(purchases.ticket_id) FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id AND ticket.airline_name =
- (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''") AND DATE(purchase_date) BETWEEN "''' + \
- initial.strftime("%Y-%m-%d") + '''" AND "''' + final.strftime("%Y-%m-%d") + '''"'''
- cursor.execute(query)
- ticket_num = cursor.fetchall()
- loop1 = initial
- loop2 = final
- chart_data = ""
- while loop1 < loop2:
- query = '''SELECT COUNT(purchases.ticket_id) FROM purchases, ticket WHERE purchases.ticket_id = ticket.ticket_id AND ticket.airline_name =
- (SELECT airline_name FROM airline_staff WHERE username = "''' + session.get('email') +'''") AND DATE(purchase_date) BETWEEN "''' + \
- loop1.strftime("%Y-%m-%d") + '''" AND "''' + loop2.strftime("%Y-%m-%d") + '''"'''
- cursor.execute(query)
- chart_data += "['" + loop2.strftime("%Y-%m-%d") + "', " + str(cursor.fetchall()[0][0]) + ", '#" + str(binascii.b2a_hex(os.urandom(3))) + "'],"
- loop2 += datetime.timedelta(-30)
- chart_data = chart_data[:len(chart_data)-1]
- cursor.close()
- return render_template('report.html', date=initial, date2=final, tickets=ticket_num[0][0], chart=chart_data)
- @app.route('/register', methods=['GET', 'POST'])
- def register():
- if session.get('logged_in'):
- return redirect('/')
- if request.args.get('user'):
- redir = "register?user=" + request.args.get('user')
- conn = mysql.connect()
- cursor = conn.cursor()
- error = None
- logged = False
- if request.method == 'POST':
- if request.form['password'] != request.form['password2']:
- error = "Passwords do not match."
- else:
- if request.args.get('user') == "agent":
- if (request.form['email'] and inject in request.form['email']) or (request.form['id'] and inject in request.form['id']):
- print "Warning! SQL Injection!"
- else:
- query = '''SELECT booking_agent_id FROM booking_agent WHERE booking_agent_id = ''' + request.form['id']
- cursor.execute(query)
- data = cursor.fetchall()
- if data:
- error = "Someone has already registered the ID."
- else:
- query = "INSERT INTO booking_agent VALUES ('" + request.form['email'] \
- + "', '" + hashlib.md5(request.form['password']).hexdigest() + "', '" + request.form['id'] + "')"
- logged = True
- cursor.execute(query)
- conn.commit()
- data = cursor.fetchall()
- print data
- print query
- elif request.args.get('user') == "staff":
- if (request.form['username'] and inject in request.form['username']) or (request.form['fname'] and inject in request.form['fname']) or \
- (request.form['lname'] and inject in request.form['lname']) or (request.form['dob'] and inject in request.form['dob']):
- print "Warning! SQL Injection!"
- else:
- query = "INSERT INTO airline_staff VALUES ('" + request.form['username'] \
- + "', '" + hashlib.md5(request.form['password']).hexdigest() + "', '" + request.form['fname'] \
- + "', '" + request.form['lname'] + "', '" + request.form['dob'] + "')"
- logged = True
- cursor.execute(query)
- conn.commit()
- data = cursor.fetchall()
- print data
- print query
- else:
- if (request.form['dob'] and inject in request.form['dob']) or (request.form['email'] and inject in request.form['email']) or \
- (request.form['building'] and inject in request.form['building']) or (request.form['street'] and inject in request.form['street']) or \
- (request.form['city'] and inject in request.form['city']) or (request.form['state'] and inject in request.form['state']) or \
- (request.form['phone'] and inject in request.form['phone']) or (request.form['pnum'] and inject in request.form['pnum']) or \
- (request.form['pdate'] and inject in request.form['pdate']) or (request.form['pcountry'] and inject in request.form['pcountry']) or \
- (request.form['name'] and inject in request.form['name']):
- print "Warning! SQL Injection!"
- else:
- query = "INSERT INTO customer VALUES ('" + request.form['email'] + "', '" + request.form['name'] \
- + "', '" + hashlib.md5(request.form['password']).hexdigest() + "', '" + request.form['building'] + "', '" + request.form['street'] \
- + "', '" + request.form['city'] + "', '" + request.form['state'] + "', '" + request.form['phone'] \
- + "', '" + request.form['pnum'] + "', '" + request.form['pdate'] + "', '" + request.form['pcountry'] \
- + "', '" + request.form['dob'] + "')"
- logged = True
- cursor.execute(query)
- conn.commit()
- data = cursor.fetchall()
- print data
- print query
- if not data and logged:
- session['logged_in'] = True
- session['email'] = request.form['email']
- if request.args.get('user') == "agent":
- session['type'] = "agent"
- elif request.args.get('user') == "staff":
- session['type'] = "staff"
- else:
- session['type'] = "customer"
- return redirect('/')
- elif not error:
- error = "Username or email already exists, or not all forms were filled out."
- cursor.close()
- if request.args.get('user') == "agent":
- return render_template('register.html', error=error, agent=True)
- if request.args.get('user') == "staff":
- return render_template('register.html', error=error, staff=True)
- else:
- return render_template('register.html', error=error)
- @app.route('/login', methods=['GET', 'POST'])
- def login():
- if session.get('logged_in'):
- return redirect('/')
- if request.args.get('user'):
- redir = "login?user=" + request.args.get('user')
- error = None
- if request.method == 'POST':
- if request.form['email'] and inject in request.form['email']:
- query = ""
- print "Warning! SQL Injection!"
- else:
- if request.args.get('user') == "agent":
- query = "SELECT email FROM booking_agent WHERE email=\""
- elif request.args.get('user') == "staff":
- query = "SELECT username FROM airline_staff WHERE username=\""
- else:
- query = "SELECT email FROM customer WHERE email=\""
- query += request.form['email'] + "\" AND password=\"" + hashlib.md5(request.form['password']).hexdigest() + "\""
- cursor = mysql.connect().cursor()
- cursor.execute(query)
- data = cursor.fetchall()
- cursor.close()
- if data:
- session['logged_in'] = True
- session['email'] = request.form['email']
- if request.args.get('user') == "agent":
- session['type'] = "agent"
- elif request.args.get('user') == "staff":
- session['type'] = "staff"
- else:
- session['type'] = "customer"
- return redirect('/')
- else:
- error = "Invalid username/email or password"
- if request.args.get('user') == "agent":
- return render_template('login.html', error=error, ltype="Email", register="agent", ttype="Booking Agent")
- if request.args.get('user') == "staff":
- return render_template('login.html', error=error, ltype="Username", register="staff", ttype="Airline Staff")
- else:
- return render_template('login.html', error=error, ltype="Email", ttype="Customer")
- @app.route('/logout')
- def logout():
- if not session.get('logged_in'):
- return redirect('/')
- args = session['type']
- session['logged_in'] = False
- session['type'] = None
- return redirect('/login?user=' + args)
- @app.route('/')
- def home():
- ret1 = ""
- ret2 = ""
- data1 = dbsearch(None, request.args.get('dcity'), request.args.get('acity'), request.args.get('ddate'))
- data2 = dbsearch(request.args.get('num2'), None, None, request.args.get('ddate2'), request.args.get('adate2'))
- for x in data1:
- ret1 += "<tr>"
- for y in x:
- ret1 += "<td>" + str(y) + "</td>"
- ret1 += "</tr>"
- for x in data2:
- ret2 += "<tr>"
- for y in x:
- ret2 += "<td>" + str(y) + "</td>"
- ret2 += "</tr>"
- return render_template("home.html", dcity = airport("departure"), acity = airport("arrival"), search = ret1, search2 = ret2, \
- ddate=request.args.get('ddate'), ddate2=request.args.get('ddate2'), adate2=request.args.get('adate2'))
- if __name__ == '__main__':
- app.secret_key = os.urandom(12)
- app.run(host='0.0.0.0', port=80)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement