Nov 11: WTForms, SQL Injection

Learning Objectives

After today's class, you should be able to:

• Demonstrate how to perform and prevent an SQL injection attack.
• Explain how Flask App Builder uses WTForms.
• Create a simple FormView for your webapp.

Lesson Outline

Announcements [10 min]

• New file/code structure in profs repository
  • models.py is now the models package
  • views.py is now the views package
  • menu.py (new file) builds the menu

Mini Lecture [25 min]

SQL Injection and Security

Example vulnerable application:

• hack.py
• hack.html
  • Input 1: '; DROP TABLE account; --
  • Input 2: <script>alert("Hi");</script>

WTForms and FormViews [20 min]

• Crash Course section of WTForms docs
• Form Views section of FAB docs
  • Examples from profs repository

Project Work Time [20 min]

• Refactor your code (break up models.py, views.py)
• Determine what form(s) you would like for Thursday

Your To-Do List

• Begin reading sections 1.8, 1.10 and 1.11 in the book
• Due Thursday before noon: GP5 via GitHub
  • Be prepared to demo your app to your peers in Thursday's class!