-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.py
100 lines (84 loc) · 3.52 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from flask import Flask, render_template, redirect, url_for, flash, request, session
from flask_sqlalchemy import SQLAlchemy
from werkzeug.security import generate_password_hash, check_password_hash
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your_secret_key' # Replace with a strong secret key
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///site.db'
db = SQLAlchemy(app)
# User model
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(150), unique=True, nullable=False)
password = db.Column(db.String(150), nullable=False)
# Order model
class Order(db.Model):
id = db.Column(db.Integer, primary_key=True)
product_id = db.Column(db.Integer, nullable=False)
quantity = db.Column(db.Integer, nullable=False)
total_price = db.Column(db.Float, nullable=False)
user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)
@app.route('/')
def home():
return render_template('index.html')
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
user = User.query.filter_by(username=username).first()
if user and check_password_hash(user.password, password):
session['user_id'] = user.id
flash('Login successful!', 'success')
return redirect(url_for('home'))
else:
flash('Login failed. Check your username and/or password.', 'danger')
return render_template('login.html')
@app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
hashed_password = generate_password_hash(password, method='sha256')
new_user = User(username=username, password=hashed_password)
db.session.add(new_user)
db.session.commit()
flash('Account created successfully!', 'success')
return redirect(url_for('login'))
return render_template('register.html')
@app.route('/cart')
def cart():
if 'user_id' not in session:
flash('Please log in to view your cart.', 'warning')
return redirect(url_for('login'))
user_id = session['user_id']
orders = Order.query.filter_by(user_id=user_id).all()
return render_template('cart.html', orders=orders)
@app.route('/remove_from_cart', methods=['POST'])
def remove_from_cart():
if 'user_id' not in session:
flash('Please log in to modify your cart.', 'warning')
return redirect(url_for('login'))
order_id = request.form['order_id']
order = Order.query.get(order_id)
if order:
db.session.delete(order)
db.session.commit()
flash('Item removed from cart.', 'success')
else:
flash('Item not found.', 'danger')
return redirect(url_for('cart'))
@app.route('/checkout')
def checkout():
if 'user_id' not in session:
flash('Please log in to checkout.', 'warning')
return redirect(url_for('login'))
user_id = session['user_id']
orders = Order.query.filter_by(user_id=user_id).all()
total = sum(order.total_price for order in orders)
# Vulnerability: No verification of price
flash(f'Total amount: ${total}', 'info')
return redirect(url_for('home'))
if __name__ == '__main__':
with app.app_context():
db.create_all()
app.run(debug=True)