:::spoiler
```
from blade import Blade
def main(args):
Blade.of() \
.get("/login", lambda ctx: ctx.render("login.html")) \
.get("/logout", lambda ctx: (
ctx.session().remove("login_user"),
ctx.redirect("/login")
)) \
.post("/login", lambda ctx: (
username = ctx.formParam("username"),
ctx.text(username + "登入成功")
)) \
.get("/transfer", transfer) \
.post("/transfer", transfer) \
.start(Application, args)
def transfer(ctx):
username = ctx.session().attribute("login_user")
if username == None:
print("用戶未登入!")
ctx.text("登入後操作!")
return
toUser = ctx.formParam("to_user")
money = ctx.formParamToInt("money")
msg = username + "給[" + toUser + "] 轉帳" + str(money) + "元成功"
print(msg)
ctx.text(msg)
if __name__ == "__main__":
main(None)
```
:::
:::spoiler
```
from flask import Flask, request, session, redirect,render_template
app = Flask(__name__)
@app.route('/login')
def login():
return render_template('login.html')
@app.route('/logout')
def logout():
session.pop('login_user', None)
return redirect('/login')
@app.route('/login', methods=['POST'])
def login_post():
username = request.form.get('username')
return username + '登入成功'
@app.route('/transfer', methods=['GET', 'POST'])
def transfer():
username = session.get('login_user')
if username is None:
print('用戶未登入!')
return '登入後操作!'
to_user = request.form.get('to_user')
money = int(request.form.get('money'))
msg = f'{username}給[{to_user}] 轉帳{money}元成功'
print(msg)
return msg
if __name__ == '__main__':
app.run()
```
:::
### login.html
:::spoiler 程式碼
```
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="/login" method="POST">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<input type="submit" value="Login">
</form>
</body>
</html>
```
:::
---
xss
反射型
儲存型
long tipe
:::spoiler
```
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="/login" method="POST">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<input type="submit" value="Login">
</form>
</body>
</html>
```
:::
:::spoiler
https://www.kjnotes.com/devtools/54
```
from flask import Flask, request, session, redirect,render_template
import pymysql
connect_db = pymysql.connect('localhost', port=5000, user='root', passwd='', charset='utf8', db='pydb')
with connect_db.cursor() as cursor:
sql = """
CREATE TABLE IF NOT EXISTS Member(
ID int NOT NULL AUTO_INCREMENT PRIMARY KEY,
Name varchar(20),
Height int(6),
Weight int(6)
);
"""
# 執行 SQL 指令
cursor.execute(sql)
# 提交至 SQL
connect_db.commit()
# 關閉 SQL 連線
connect_db.close()
app = Flask(__name__)
@app.route('/login')
def login():
return render_template('login.html')
@app.route('/logout')
def logout():
session.pop('login_user', None)
return redirect('/login')
@app.route('/login', methods=['POST'])
def login_post():
username = request.form.get('username')
return username + '登入成功'
@app.route('/transfer', methods=['GET', 'POST'])
def transfer():
username = session.get('login_user')
if username is None:
print('用戶未登入!')
return '登入後操作!'
to_user = request.form.get('to_user')
money = int(request.form.get('money'))
msg = f'{username}給[{to_user}] 轉帳{money}元成功'
print(msg)
return msg
if __name__ == '__main__':
app.run()
```
:::
:::spoiler
```
from flask import Flask, request, session, redirect, render_template
import pymysql
app = Flask(__name__)
app.secret_key = "your_secret_key_here" # Add a secret key for session management
def connect_to_db():
return pymysql.connect(host='localhost', port=3306, user='root', passwd='', charset='utf8', db='pydb')
def create_member_table():
with connect_to_db().cursor() as cursor:
sql = """
CREATE TABLE IF NOT EXISTS Member(
ID int NOT NULL AUTO_INCREMENT PRIMARY KEY,
Name varchar(20),
Height int,
Weight int
);
"""
cursor.execute(sql)
@app.route('/login')
def login():
return render_template('login.html')
@app.route('/logout')
def logout():
session.pop('login_user', None)
return redirect('/login')
@app.route('/login', methods=['POST'])
def login_post():
username = request.form.get('username')
# You might want to add session management logic here
return f"{username} logged in successfully"
@app.route('/transfer', methods=['GET', 'POST'])
def transfer():
username = session.get('login_user')
if username is None:
print('User not logged in!')
return 'Operation requires login!'
to_user = request.form.get('to_user')
money = int(request.form.get('money'))
msg = f'{username} transferred {money} yuan to [{to_user}] successfully'
print(msg)
return msg
if __name__ == '__main__':
create_member_table() # Create the table before running the app
app.run()
```
:::
Sign in with Wallet
Connect another wallet