Get started #1
Get started #1
Conversation
| @@ -0,0 +1,6 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
There was a problem hiding this comment.
We should probably add a gitignore file
app.js
Outdated
| } | ||
| }); | ||
| app.get('/speaker' , function (req , res) { | ||
| res.sendFile(__dirname + '/www/speaker.html'); |
There was a problem hiding this comment.
How about we use Express's static feature to serve static files? It'll be much cleaner.
app.js
Outdated
| var post = req.body; | ||
| var username = post.user; | ||
| var password = post.password; | ||
| var sql = "SELECT * FROM login WHERE username='"+username+"'"; |
There was a problem hiding this comment.
We should play safe here, you must have heard of SQL Injection. @rewanth1997 knows better.
Let's sanitize user input before sending it to mysql.
app.js
Outdated
| var name = post.speakername; | ||
| var topic = post.topic; | ||
| var description = post.description; | ||
| var sql = "INSERT INTO speaker(name, topic, description, pic_url) values('"+name+"','"+topic+"','"+description+"','/images/"+post.images+"')"; |
There was a problem hiding this comment.
Same sanitization logic applies here.
app.js
Outdated
| }); | ||
| } | ||
| // Starting Server | ||
| server.listen(3000, function(){ |
There was a problem hiding this comment.
We will need this port to be configurable from environment variables, so can use
const port = process.env.PORT || 3000;
server.listen(port, () => ...)
app.js
Outdated
| var name = post.speakername; | ||
| var topic = post.topic; | ||
| var description = post.description; | ||
| var sql = "INSERT INTO speaker(name, topic, description, pic_url) values('"+name+"','"+topic+"','"+description+"','/images/"+post.images+"')"; |
There was a problem hiding this comment.
Template literals make the code cleaner, we can use those here.
https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals
package.json
Outdated
| "description": "backend for tedx nit k", | ||
| "main": "app.js", | ||
| "scripts": { | ||
| "test": "node app.js" |
There was a problem hiding this comment.
Shouldn't this command be start instead of test?
| }); | ||
| </script> | ||
| </body> | ||
| </html> |
There was a problem hiding this comment.
Every file must contain an empty line at the end :)
…jection, env ports add , image upload done
app.js
Outdated
| @@ -9,6 +9,8 @@ var bodyParser = require('body-parser'); | |||
| var session= require('express-session'); | |||
| var multer = require('multer'); | |||
| var mysql = require('mysql'); | |||
| var sanitizeHtml = require('sanitize-html'); | |||
There was a problem hiding this comment.
This is cool, we'd also like to prevent sql injections
app.js
Outdated
| }); | ||
| } | ||
| function insertVideo(req , res ) { | ||
| var post = req.body; |
There was a problem hiding this comment.
Let's use let and const instead of var
There was a problem hiding this comment.
This is nice start @nkkumawat.
Here are a few tips:
- Make sure you follow the same style of coding in all your files.
- Assign appropriate names to the API endpoints and other variables.
- Use appropriate commit messages, so that it will be easy for us to review your code.
Do not push multiple parts of code into a single commit message like this, "sanitizition before sql injection, env ports add , image upload done". This is a very bad way to do commit messages.
Instead prefer using single commit message for each change, it makes easy for us to review the code. Before merging them into the master branch we can squash the commits to make the code look more elegant.
app.js
Outdated
| resave: true, | ||
| saveUninitialized: true | ||
| })); | ||
| var Storage = multer.diskStorage({ |
There was a problem hiding this comment.
Why is this in variable starting with Caps letter? Any special reason, if not use small case.
app.js
Outdated
| }); | ||
| }); | ||
| app.post("/videoinsert", function(req, res) { | ||
| insertVideo(req , res); |
There was a problem hiding this comment.
Prefer not to use create functions if you are not reusing the code. Insert the code here itself.
There was a problem hiding this comment.
You used the same style of coding everywhere. Change it wherever required.
app.js
Outdated
| insertVideo(req , res); | ||
| }); | ||
| function login(req,res){ | ||
| var post = req.body; |
There was a problem hiding this comment.
Use appropriate names is wherever required. Its the standard way of coding.
const body = req.body
app.js
Outdated
| var url = post.url; | ||
| title = sanitizeHtml(title); | ||
| description = sanitizeHtml(description); | ||
| var sql = "INSERT INTO videos(title, description, video_url) values('"+title+"','"+description+"','"+url+"')"; |
There was a problem hiding this comment.
url variable is not sanitized. This type of SQL query is easily prone to attacks. Make sure to sanitize each and every parameter.
| "path": "^0.12.7", | ||
| "sanitize-html": "^1.14.1" | ||
| } | ||
| } |
There was a problem hiding this comment.
Add new lines at EOF, asap.
| color: white; | ||
| font-family: hBold; | ||
| border: 1px solid rgba(0, 0, 0, 0.1); | ||
| } |
There was a problem hiding this comment.
This is a common mistake I observed in most of your code. If you plan to use \n after each block, follow same style of coding in all your files. Here there is no newline after the block of code but at lines 34, 38, etc.. you have used new line. Better use newline after each and every block of code.
Apply this fix to all the other files.
| var pass = $("#pass"); | ||
| var error = $("#error"); | ||
| $(".btn").click(function(){ | ||
| console.log(pass.val()); |
There was a problem hiding this comment.
Make sure to delete these kind of console logs after testing, which expose sensitive data to the end user.
www/login.html
Outdated
| var error = $("#error"); | ||
| $(".btn").click(function(){ | ||
| console.log(pass.val()); | ||
| var data = {"user": ""+user.val()+"" , "password":""+ pass.val()+""}; |
There was a problem hiding this comment.
Why is this inline code so complex? Instead you can use an elegant code like this,
const data = {
"user" : user.val(),
"password" : pass.val()
}
Try to make your code as simple as possible.
app.js
Outdated
| app.get('/speaker' , function (req , res) { | ||
| res.sendFile(__dirname + '/www/speaker.html'); | ||
| }); | ||
| app.post('/speaker' , function (req , res) { |
There was a problem hiding this comment.
Since you are returning the list of all speakers, the endpoint must be '/speakers' instead of '/speaker'.
If you are returning details of only one speaker then you can use '/speaker'.
app.js
Outdated
| res.redirect("/login"); | ||
| }); | ||
| app.post('/getuser' , function (req , res) { | ||
| res.send({"username" : req.session.user}); |
There was a problem hiding this comment.
If req.session.user returns only username then change req.session.user to req.session.username.
If req.session.user returns any extra data apart from username then change "username" to "user".
Make sure you keep the naming conventions appropriate.
app.js
Outdated
| console.log(req.session.user); | ||
| if(!req.session.user) { | ||
| console.log("Admin"); | ||
| if(!req.session.username) { | ||
| res.redirect('/login'); |
There was a problem hiding this comment.
We can put all routes in single file, since they'll be reused everywhere.
app.js
Outdated
| res.sendFile(__dirname + '/www/speaker.html'); | ||
| }); | ||
| app.post('/speaker' , function (req , res) { | ||
| app.post('/speakers' , function (req , res) { |
There was a problem hiding this comment.
This should be get method, since we are getting list of speakers.
Let's not merge API and static pages, we can put all api requests under /api/* route.
app.js
Outdated
| }); | ||
| }); | ||
| app.post("/speakerinsert", function(req, res) { | ||
| app.post("/speaker-insert", function(req, res) { |
There was a problem hiding this comment.
This should be a POST request to /speakers.
app.js
Outdated
| res.send({"username" : req.session.user}); | ||
| res.send({ | ||
| "username" : req.session.username | ||
| }); | ||
| }); | ||
| app.get('/blog' , function (req , res) { |
There was a problem hiding this comment.
Static pages should not be handled by api, if required, we can have a separate file for serving static files.
app.js
Outdated
| description = sanitizeHtml(description); | ||
| var sql = "INSERT INTO videos(title, description, video_url) values('"+title+"','"+description+"','"+url+"')"; | ||
| }); | ||
| app.post("/delete-video", function(req, res) { |
There was a problem hiding this comment.
What if we make this DELETE instead of POST and URL to be /video/<id>.
| app.post("/delete-video", function(req, res) { | ||
| const post = req.body; | ||
| const videoTitle = sanitizeHtml(post.videoTitle); | ||
| var sql = "Delete from videos where title = '" + videoTitle +"'" ; |
There was a problem hiding this comment.
We would probably want to add some auth here in future.
app.js
Outdated
| app.post("/delete-speaker", function(req, res) { | ||
| const post = req.body; | ||
| const speakerName = sanitizeHtml(post.speakerName); | ||
| var sql = "Delete from speaker where name = '" + speakerName +"'" ; | ||
| con.query(sql, function (err, result, fields) { | ||
| res.redirect('/admin'); |
There was a problem hiding this comment.
Stick with one convention, either double or single quotes.
A linter will be really helpful.
@nkkumawat 's first PR