作者:轩轩20110804 | 来源:互联网 | 2023-01-13 13:00
ImtryingtocreatealoginscriptusingSQLitetostoretheuserdata.Anyideasonhowtotothat
I'm trying to create a login script using SQLite to store the user data. Any ideas on how to to that? I have research over hours and found nothing of the kind. I would appreciate any help! :)
我正在尝试使用SQLite创建一个登录脚本来存储用户数据。有什么办法吗?我花了好几个小时做了调查,但什么也没发现。我希望得到任何帮助!:)
This is what I got so far:
这是我到目前为止得到的:
user = raw_input "User:"
pswd = getpass.getpass "Password"
db = sqlite3.connect('/SABB/DATASETS/SENHAS')
c = db.cursor()
c.execute('SELECT 1 from sabb WHERE usuario = "user"')
('SELECT 1 from sabb WHERE senha = "pswd"')
if c.fetchall() is True:
print "Welcome"
else:
print "Login failed"
But it always returns Login failed... I want to check the input "user" and the input "pswd" against the database and if they match, return Welcome.
但它总是返回登录失败……我想对数据库检查输入“user”和输入“pswd”,如果匹配,返回Welcome。
I changed it to:
我把它改为:
db = sqlite3.connect('/SABB/DATASETS/SENHAS')
c = db.cursor()
login = c.execute('SELECT * from sabb WHERE usuario = "user" AND senha = "pswd"')
if (login > 0):
print "Welcome"
else:
print "Login failed"
But I'm still getting Welcome every time. I also tried "if (login == 1)" but then it only returns Login failed.
但我每次都受到欢迎。我也尝试了“if (login = 1)”,但是它只返回login failed。
4 个解决方案
2
From how I've read your source code, you're getting the username and password from your user, but not actually using this anywhere. Instead you'll want to substitute the actual username and password in your WHERE
statements. I believe the code below would be the most pythonic:
从我如何读取你的源代码,你得到用户的用户名和密码,但实际上并没有在任何地方使用。相反,您需要在WHERE语句中替换实际的用户名和密码。我相信下面的代码是最python化的:
# Get login details from user
user = input('User: ')
password = getpass.getpass('Password: ')
# Connect to database
db = sqlite3.connect('path/to/database')
c = db.cursor()
# Execute sql statement and grab all records where the "usuario" and
# "senha" are the same as "user" and "password"
c.execute('SELECT * FROM sabb WHERE usuario = ? AND senha = ?', (user, password))
# If nothing was found then c.fetchall() would be an empty list, which
# evaluates to False
if c.fetchall():
print('Welcome')
else:
print('Login failed')
Please note that you should always the method provided by cursor.execute()
for substituting data entered by a user into a database call. Using the format()
or %
substitution method leaves you open to sql injection.
请注意,您应该始终使用cursor.execute()提供的方法来将用户输入的数据替换为数据库调用。使用format()或%替换方法可以打开sql注入。
Do not do this:
c.execute('SELECT * from sabb WHERE usuario="%s" AND senha="%s"' % (user, pswd))
Imagine if someone passed in:
想象一下如果有人路过:
- User =
Bob
- 用户=鲍勃
- Password =
my_cool_password" OR 1=1; --
- 密码= my_cool_password”或1=1;- - -
The cursor would evaluate: SELECT * from sabb WHERE usuario="Bob" AND senha="my_cool_password" OR 1=1; -- ";
游标将计算:从sabb中选择*,其中usuario="Bob"和senha="my_cool_password"或1=1;——”;
It'd allow me to log in as any user. By trivially changing my input I could execute any command on the database that I wish (including deleting a login, adding a login, dropping the entire table etc).
它允许我以任何用户的身份登录。通过简单地更改输入,我可以在数据库中执行任何我想要的命令(包括删除登录名、添加登录名、删除整个表等等)。