What's wrong with my code?
-
I don't know python
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username= ? and password = ?") self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(!self.query.exec()): print "Database query failed" return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return True print "wrong" self.ctr += 1 print self.ctr if self.ctr >= 10: sys.exit() return False
P.S.
And this kids is how you do user authentication completely wrong!You should store the salt (a random string) for each account in plain text or encrypted in the database, retrieve it, (decrypt it if it's encrypted) and use it with the supplied password in a QCryptographicHash or with somthing better now compare this hash with the one in the database
@VRonin sorry newbie to programming anyways thank you! i will try that later :)
-
I don't know python
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username= ? and password = ?") self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(!self.query.exec()): print "Database query failed" return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return True print "wrong" self.ctr += 1 print self.ctr if self.ctr >= 10: sys.exit() return False
P.S.
And this kids is how you do user authentication completely wrong!You should store the salt (a random string) for each account in plain text or encrypted in the database, retrieve it, (decrypt it if it's encrypted) and use it with the supplied password in a QCryptographicHash or with somthing better now compare this hash with the one in the database
if(!self.query.exec()): print "Database query failed" return False! not working syntax error
-
I used a C++ boolean operation instead of a python one, as mentioned I can't use python. easy to look up to be fair...
if(not self.query.exec()): print "Database query failed" return Falseif(not self.query.exec()): print "Database query failed" return Falseprint statement not showing up i also try the "not" function sorry i forgot to indicate
-
@VRonin i want to block inputs if username or password is not existing in my database i try to use isActive but behaves the same then if i remove the "not" function it executes when i type the correct query
-
@VRonin i try to remove the if(self.query.exec_()) and modify with .next() but still not showing my print statement account doesn't exist
-
no, you don't have to modify anything.
if(!self.query.exec()): print "Database query failed" return Falsechecks that the database ran the query correctly, it says nothing on the data inside it. the next block
if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return Truehere we check if the username and passwords were in the database
-
no, you don't have to modify anything.
if(!self.query.exec()): print "Database query failed" return Falsechecks that the database ran the query correctly, it says nothing on the data inside it. the next block
if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return Truehere we check if the username and passwords were in the database
@VRonin i understand now Thank you very much! i remove the "not" function and it works
-
@VRonin i understand now Thank you very much! i remove the "not" function and it works
@Gelo but the problem is everytime i input a correct query for example the admin account it prints the "login as admin" and but after it print the admin mode "Database query failed" shows up first
-
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(self.query.exec_()): print "Database query failed" self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True -
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(self.query.exec_()): print "Database query failed" self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True@Gelo said in Whats wrong with my code!:
self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
http://www.w3schools.com/sql/sql_injection.asp
if(self.query.exec_()):
why did you remove the not? it should be
if(not self.query.exec_()):print "3 wrong attemps will terminate in a second!"
you are not checking the attempts in the in the right place
print self.query.exec_()
why are you executing the query again?
if(not self.query.exec_()): print "Database query failed" else: if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True else: self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False -
@Gelo said in Whats wrong with my code!:
self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
http://www.w3schools.com/sql/sql_injection.asp
if(self.query.exec_()):
why did you remove the not? it should be
if(not self.query.exec_()):print "3 wrong attemps will terminate in a second!"
you are not checking the attempts in the in the right place
print self.query.exec_()
why are you executing the query again?
if(not self.query.exec_()): print "Database query failed" else: if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True else: self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False@VRonin i remove the not function because it does not print the message if i enter wrong inputs
-
if(not self.query.exec()):checks that the query did run correctly, it does not check your input.
The input is checked byif(self.query.next()):if that is true then username and password were found in the database.Please do not overlook the SQL injection bug:
self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
http://www.w3schools.com/sql/sql_injection.asp -
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(self.query.exec_()): print "Database query failed" self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True@Gelo said in Whats wrong with my code!:
self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD)I just wonder this works... did you read http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html for how to use prepare statement and binding values?
To bind values to a prepared statement you need placeholders.
According to the examples on http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html it should be done like this:Named binding using named placeholders:
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (:id, :forename, :surname)"); query.bindValue(":id", 1001); query.bindValue(":forename", "Bart"); query.bindValue(":surname", "Simpson"); query.exec();Positional binding using named placeholders:
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (:id, :forename, :surname)"); query.bindValue(0, 1001); query.bindValue(1, "Bart"); query.bindValue(2, "Simpson"); query.exec();Binding values using positional placeholders (version 1):
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (?, ?, ?)"); query.bindValue(0, 1001); query.bindValue(1, "Bart"); query.bindValue(2, "Simpson"); query.exec();Binding values using positional placeholders (version 2):
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (?, ?, ?)"); query.addBindValue(1001); query.addBindValue("Bart"); query.addBindValue("Simpson"); query.exec();
