From 83775b716f5eb0f0b7eafe6b006bb6a2d3506372 Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Tue, 1 Apr 2025 18:01:58 -0600 Subject: [PATCH] Add server-side input validation - Validate that first_name, last_name, email, and location are provided - Add regex-based email format validation in app.py - Display error messages on the guestbook form if validation fails These changes help ensure that only properly formatted data is stored. --- app.py | 50 ++++++++++++++++++++++++++++++++------------ templates/index.html | 3 +++ 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/app.py b/app.py index af32642..a237dc5 100644 --- a/app.py +++ b/app.py @@ -1,5 +1,6 @@ from flask import Flask, render_template, request, redirect, url_for import sqlite3 +import re app = Flask(__name__) DATABASE = 'guestbook.db' @@ -20,30 +21,53 @@ def init_db(): conn.commit() conn.close() +def is_valid_email(email): + # A simple regex for basic email validation + pattern = r'^[\w\.-]+@[\w\.-]+\.\w+$' + return re.match(pattern, email) + @app.route('/', methods=['GET', 'POST']) def index(): + error = None if request.method == 'POST': - first_name = request.form.get('first_name') - last_name = request.form.get('last_name') - email = request.form.get('email') - location = request.form.get('location') - if first_name and last_name and email and location: + first_name = request.form.get('first_name', '').strip() + last_name = request.form.get('last_name', '').strip() + email = request.form.get('email', '').strip() + location = request.form.get('location', '').strip() + + # Basic validation checks + if not (first_name and last_name and email and location): + error = "All fields are required." + elif not is_valid_email(email): + error = "Invalid email address." + + if error: + # Retrieve guest entries to display on the page. conn = sqlite3.connect(DATABASE) c = conn.cursor() - c.execute( - 'INSERT INTO guests (first_name, last_name, email, location) VALUES (?, ?, ?, ?)', - (first_name, last_name, email, location) - ) - conn.commit() + c.execute('SELECT first_name, location FROM guests ORDER BY id DESC') + guests = c.fetchall() conn.close() - return redirect(url_for('index')) - # Retrieve guest entries to display only first name and location. + return render_template('index.html', error=error, guests=guests) + + # If all validations pass, insert the data into the database. + conn = sqlite3.connect(DATABASE) + c = conn.cursor() + c.execute( + 'INSERT INTO guests (first_name, last_name, email, location) VALUES (?, ?, ?, ?)', + (first_name, last_name, email, location) + ) + conn.commit() + conn.close() + return redirect(url_for('index')) + + # For GET requests, retrieve guest entries to display. conn = sqlite3.connect(DATABASE) c = conn.cursor() c.execute('SELECT first_name, location FROM guests ORDER BY id DESC') guests = c.fetchall() conn.close() - return render_template('index.html', guests=guests) + return render_template('index.html', error=error, guests=guests) if __name__ == '__main__': init_db() diff --git a/templates/index.html b/templates/index.html index 8178e14..93d598a 100644 --- a/templates/index.html +++ b/templates/index.html @@ -8,6 +8,9 @@

Museum Visitor Guestbook

+ {% if error %} +
{{ error }}
+ {% endif %}