[英]Changing user's password using Flask and SQLite
I am trying to implement a function to change the user's password.我正在尝试实现一个 function 来更改用户的密码。 I am storing only the hash in DB not the password and I want to ask the user to enter the old password first then the new one.
我只在数据库中存储 hash 而不是密码,我想要求用户先输入旧密码,然后再输入新密码。 I want to check if the old password's hash is matching the one stored in DB and if so, to update it with the new one.
我想检查旧密码的 hash 是否与存储在数据库中的密码匹配,如果是,则使用新密码对其进行更新。 I am doing something wrong as the code is not passing the validation checks and I am having an error: "Invalid password".
我做错了,因为代码未通过验证检查,并且出现错误:“密码无效”。 Any help, would be appreciated.
任何帮助,将不胜感激。
@app.route("/change_password", methods=["GET", "POST"])
@login_required
def change_password():
user_id=session["user_id"]
if request.method=="POST":
password = request.form.get("password")
hash = generate_password_hash(password)
new_password = request.form.get("new_password")
confirm_new_password = request.form.get("confirm_new_password")
new_hash = generate_password_hash(new_password)
#Validations:
if not password:
return apology("must provide password", 400)
if not new_password:
return apology("must provide a new password", 400)
#Ensure password confirmation is provided
if not confirm_new_password:
return apology("must confirm new password", 400)
#Check if new password matches
if new_password!= confirm_new_password:
return apology("password does not match", 400)
# Query database for the current password
rows = db.execute("SELECT * FROM users WHERE hash = ?", hash)
# Ensure username exists and password is correct
if len(rows) != 1:
return apology("invalid password", 400)
#Update DB with the new_hash
else:
db.execute ("UPDATE users SET hash=:new_hash WHERE id=:id", new_hash = new_hash, id = user_id)
return redirect("/")
else:
return render_template("change_password.html")
There are quite some problems with your code...你的代码有很多问题......
The biggest problem最大的问题
rows = db.execute("SELECT * FROM users WHERE hash = ?", hash)
You have to search for the user name, not for the hash,,, Imagine.您必须搜索用户名,而不是 hash,,, Imagine。 two users have the same password.
两个用户有相同的密码。 or a user enters the wrong password.
或者用户输入了错误的密码。 but that is the password of another user...
但那是另一个用户的密码...
I never used direct access to sqlite, only via sqlalchemy, but from a quick look at the docs ( https://docs.python.org/3/library/sqlite3.html#sqlite3.Cursor.executemany ) db.execute
does not return eg rows, but you need to query it. I never used direct access to sqlite, only via sqlalchemy, but from a quick look at the docs ( https://docs.python.org/3/library/sqlite3.html#sqlite3.Cursor.executemany )
db.execute
does not返回例如行,但您需要查询它。
eg after your db.execute
you need to do a db.fetchone
or db.fetchall
, see above linked documentation.例如,在您的
db.execute
之后,您需要执行db.fetchone
或db.fetchall
,请参阅上面的链接文档。
Also, the order of your code could be improved.此外,可以改进代码的顺序。
eg first, you generate the hash of a new password, and then afterwards you check whether there is a password at all - this should be switched.例如,首先,您生成新密码的 hash,然后检查是否有密码 - 这应该切换。
Speaking of validation, much of it could be done via eg flask-wtforms, so you don't need so much validation code on your own.说到验证,大部分都可以通过例如flask-wtforms 来完成,因此您自己不需要那么多验证代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.