Password encryption Python Flask
Question
Currently I'm working on a project where I made a registration form which is connected to a MySQL database. The project is written in Python with Flask.
I have figured out how send information to the DB, and how to hash the passwords chosen on the registerpage. However, I'm struggling to find out how to log in with an account with an hashed password.
If I try to log in with an account with a hashed password, I first need to login with the unhashed password, which is then hashed, and compared to the hashed password in the database. But this doesn't work.
From my understanding, this is where you find the username and password, which are filled out on the login page:
username = request.form['username']
password = request.form['password']
So, after this step you should encrypt it to match the hashed password in the DB:
password = b'password'
hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
Then, you should compare it:
if bcrypt.checkpw(password, hashed_password):
print("It matches!")
return redirect(url_for('home'))
else:
print("Didn't match")
But this is not working. I can't log in with the given password, only with a hashed password. Where is the mistake made in the encryption? Full snippet code:
def login():
# Output message if something goes wrong...
msg = ''
# Check if "username" and "password" POST requests exist (user submitted form)
if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
# Create variables for easy access
username = request.form['username']
password = request.form['password']
password = b'password'
hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
# Check if account exists using MySQL
cursor = mysql.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute('SELECT * FROM accounts WHERE username = %s AND password = %s', (username, hashed_password))
# Fetch one record and return result
account = cursor.fetchone()
# If account exists in accounts table in our database
if account:
# Create session data, we can access this data in other routes
session['loggedin'] = True
session['id'] = account['id']
session['username'] = account['username']
# Redirect to home page
return redirect(url_for('home'))
else:
# Account doesnt exist or username/password incorrect
msg = 'Incorrect username/password!'
# Show the login form with message (if any)
return render_template('index.html', msg=msg)
2 answers
solution1
0 2020-06-03 07:29:05
As you are using MySQL, I would suggest you rather use md5 to verify the user from the table in the database. Change the following code:
cursor.execute('SELECT * FROM accounts WHERE username = %s AND password = md5(%s)', (username, hashed_password))
and to convert all the unencrypted plain texts password run following query:
UPDATE accounts SET password = MD5(password);
solution2
0 2021-01-11 05:31:21
Before started make sure that your mysql database table doesnot contain plain text in the password if thy contain then delete all the data from the table and then follow:-
I also kept the same Error when login with plain text password and they donot matched with encrypted password in database Now, i am sharing my solution of this problem,I am using Base64 encoding with ascii,here you simply print to see the cursor value which returns or not like this.
CHECK THE IMAGES BY CLICKING
saved the results in MYSQL:-
The password stored into its encrypted form of base64
LOGIN INFO:-
HERE I AM ENCRYTED AGAIN INTO BASE64 AND THEN DECODED AND THEN MATCHED TO THE DATABASE PASSWORD
Login successful:-
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.