What's wrong with my code?



  • def Submit_btn(self):
            USERNAME = self.username.text()
            PASSWORD = self.password.text()
            
            self.query = QSqlQuery("SELECT username,password FROM users")
                
            while (self.query.next()):
                user_data = self.query.value(0).toString()
                pass_data = self.query.value(1).toString()
    
                if USERNAME == user_data and PASSWORD == pass_data:
                    if USERNAME == "admin" and PASSWORD == "password":
                        print "Login as Administrator"
                        return True
                    if USERNAME != "admin" and PASSWORD != "password":
                        print "Log is as User"
                    
            if USERNAME != user_data and PASSWORD != pass_data:
                print "wrong"
                self.ctr += 1
                print self.ctr
                if self.ctr >= 10:
                    sys.exit()
    

    If i enter wrong input with users account the increament for wrong input wont count



  • I don't know python

    def Submit_btn(self):
            USERNAME = self.username.text()
            PASSWORD = self.password.text()
            
            self.query = QSqlQuery()
            self.query.prepare("SELECT username FROM users WHERE username= ? and password = ?")
            self.query.addBindValue(USERNAME)    
            self.query.addBindValue(PASSWORD) 
            if(!self.query.exec()):
                print "Database query failed"
                return False
            if(self.query.next()):
                    if USERNAME == "admin":
                        print "Login as Administrator"
                    else:
                        print "Log is as User"
                    return True
    
                print "wrong"
                self.ctr += 1
                print self.ctr
                if self.ctr >= 10:
                    sys.exit()
                return False
    

    P.S.
    And this kids is how you do user authentication completely wrong!

    You should store the salt (a random string) for each account in plain text or encrypted in the database, retrieve it, (decrypt it if it's encrypted) and use it with the supplied password in a QCryptographicHash or with somthing better now compare this hash with the one in the database



  • @VRonin sorry newbie to programming anyways thank you! i will try that later :)



  • @VRonin

    if(!self.query.exec()):
                print "Database query failed"
                return False
    

    ! not working syntax error



  • I used a C++ boolean operation instead of a python one, as mentioned I can't use python. easy to look up to be fair...

    if(not self.query.exec()):
                print "Database query failed"
                return False
    


  • @VRonin

    if(not self.query.exec()):
                print "Database query failed"
                return False
    

    print statement not showing up i also try the "not" function sorry i forgot to indicate



  • It should not show up, if it did it meant I messed something up in the query



  • @VRonin i want to block inputs if username or password is not existing in my database i try to use isActive but behaves the same then if i remove the "not" function it executes when i type the correct query



  • its if(self.query.next()): that checks if the username and password exists or not



  • @VRonin i try to remove the if(self.query.exec_()) and modify with .next() but still not showing my print statement account doesn't exist



  • no, you don't have to modify anything.

     if(!self.query.exec()):
                print "Database query failed"
                return False
    

    checks that the database ran the query correctly, it says nothing on the data inside it. the next block

     if(self.query.next()):
                    if USERNAME == "admin":
                        print "Login as Administrator"
                    else:
                        print "Log is as User"
                    return True
    

    here we check if the username and passwords were in the database



  • @VRonin i understand now Thank you very much! i remove the "not" function and it works



  • @Gelo but the problem is everytime i input a correct query for example the admin account it prints the "login as admin" and but after it print the admin mode "Database query failed" shows up first



  • could you post your current code?



  • @VRonin

    def Submit_btn(self):
        USERNAME = self.username.text()
        PASSWORD = self.password.text()
        
        self.query = QSqlQuery()
        self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
        self.query.addBindValue(USERNAME)    
        self.query.addBindValue(PASSWORD)
        
        if(self.query.exec_()):
            print "Database query failed"
            self.ctr += 1
            print self.ctr
        if self.ctr >= 3:
            print "3 wrong attemps will terminate in a second!"
            time.sleep(2)
            sys.exit()
            return False
        if(self.query.next()):
                if USERNAME == "admin":
                    print "Login as Administrator"
                    print self.query.exec_()
                    subprocess.Popen("__init__.py",shell=True)
                    sys.exit()
                else:
                    print "View Mode!"
                    sys.exit()
                return True


  • @Gelo said in Whats wrong with my code!:

    self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))

    http://www.w3schools.com/sql/sql_injection.asp

    if(self.query.exec_()):

    why did you remove the not? it should be if(not self.query.exec_()):

    print "3 wrong attemps will terminate in a second!"

    you are not checking the attempts in the in the right place

    print self.query.exec_()

    why are you executing the query again?

    if(not self.query.exec_()):
    	print "Database query failed"
    else:
    	if(self.query.next()):
    		if USERNAME == "admin":
    			print "Login as Administrator"
    			print self.query.exec_()
    			subprocess.Popen("__init__.py",shell=True)
    			sys.exit()
    		else:
    			print "View Mode!"
    			sys.exit()
    		return True
    	else:
    		self.ctr += 1
    		print self.ctr
    		if self.ctr >= 3:
    			print "3 wrong attemps will terminate in a second!"
    			time.sleep(2)
    			sys.exit()
    		return False
    


  • @VRonin i remove the not function because it does not print the message if i enter wrong inputs



  • if(not self.query.exec()): checks that the query did run correctly, it does not check your input.
    The input is checked by if(self.query.next()): if that is true then username and password were found in the database.

    Please do not overlook the SQL injection bug:

    self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
    http://www.w3schools.com/sql/sql_injection.asp



  • @Gelo said in Whats wrong with my code!:

        self.query = QSqlQuery()
        self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
        self.query.addBindValue(USERNAME)    
        self.query.addBindValue(PASSWORD)
    

    I just wonder this works... did you read http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html for how to use prepare statement and binding values?

    To bind values to a prepared statement you need placeholders.
    According to the examples on http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html it should be done like this:

    Named binding using named placeholders:

     QSqlQuery query;
     query.prepare("INSERT INTO person (id, forename, surname) "
                   "VALUES (:id, :forename, :surname)");
     query.bindValue(":id", 1001);
     query.bindValue(":forename", "Bart");
     query.bindValue(":surname", "Simpson");
     query.exec();
    

    Positional binding using named placeholders:

     QSqlQuery query;
     query.prepare("INSERT INTO person (id, forename, surname) "
                   "VALUES (:id, :forename, :surname)");
     query.bindValue(0, 1001);
     query.bindValue(1, "Bart");
     query.bindValue(2, "Simpson");
     query.exec();
    

    Binding values using positional placeholders (version 1):

     QSqlQuery query;
     query.prepare("INSERT INTO person (id, forename, surname) "
                   "VALUES (?, ?, ?)");
     query.bindValue(0, 1001);
     query.bindValue(1, "Bart");
     query.bindValue(2, "Simpson");
     query.exec();
    

    Binding values using positional placeholders (version 2):

     QSqlQuery query;
     query.prepare("INSERT INTO person (id, forename, surname) "
                   "VALUES (?, ?, ?)");
     query.addBindValue(1001);
     query.addBindValue("Bart");
     query.addBindValue("Simpson");
     query.exec();

Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.