I'm trying to write a login page using mysql and python for my degree but I couldn't figure out why the login validation reads the encrypted hashlib password instead of the actuall password
I couldn't figure out why the login validation reads the encrypted hashlib password instead of the actuall password.
**This is function of the signup which encryptes it in the Database: **
def connect_database():
l, u, s, d = 0, 0, 0, 0
capitalalphabets = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
smallalphabets = "abcdefghijklmnopqrstuvwxyz"
specialchar = "!@#$%^&\*()"
digits = "0123456789"
forbidden_words = \['qwerty', 'password', 'zxcvbnm'\] # List of forbidden words in passwords
badwords = 0 # Check if there are forbidden words in passwords
if emailEntry.get() == '' or usernameEntry.get() == '' or passwordEntry.get() == '' or confirmpasswordEntry.get() == '':
messagebox.showerror('Error', 'All fields are required!')
elif passwordEntry.get() != confirmpasswordEntry.get():
messagebox.showerror('Error', 'Password does not match!')
elif check.get() == 0:
messagebox.showerror('Error', 'Please agree to all terms and conditions')
else:
try:
connect = mysql.connector.connect(host="localhost", user="root", password="somepassword123")
cursor = connect.cursor()
except:
messagebox.showerror('Error', 'Database Connectivity Issue')
return
try: # This function creates the db. if the db already exists, it won't run again
query = 'create database users'
cursor.execute(query)
query = 'use users'
cursor.execute(query)
query = 'create table userdata(id int auto_increment primary key not null, email varchar(50), username varchar(50), password longtext(500))'
cursor.execute(query)
except:
password = passwordEntry.get()
for i in password:
if i in digits:
d += 1
if i in smallalphabets:
l += 1
if i in capitalalphabets:
u += 1
if i in specialchar:
s += 1
for word in forbidden_words:
if word in passwordEntry.get():
badwords += 1
if l \>= 1 and u \>= 1 and s \>= 1 and d \>= 1 and l + s + u + d == len(password) and len(
password) \>= 10 and badwords == 0:
salt = "1qz" # Inserting a permanent salt
salt = salt.encode('utf-8') # Encodes salt
password_and_salt = password.encode('utf-8') + salt # Adding salt to the password
password_hash = hashlib.sha256(password_and_salt).hexdigest() # Hash the password
cursor.execute('use users')
query = 'insert into userdata(email, username, password) values(%s, %s, %s)' # Puts the data inside the table
cursor.execute(query, (emailEntry.get(), usernameEntry.get(), password_hash))
connect.commit() # Commit all changes
connect.close()
cursor.close()
messagebox.showinfo('Success', 'Your account has been successfully created')
clear()
signup_window.destroy() # Closes the register page once the account has been created
import signin
else:
messagebox.showerror('Error', 'Password is not valid')
and this one is the login page which takes the encrypted hashed code from the db and not the password:
def login_user():
attempts = 0 # Failed login attempts
max_attempts = 1 # Maximum number of failed login attempts
while attempts \< max_attempts:
if UsernameEntry.get() == '' or PasswordEntry.get() == '':
messagebox.showerror('Error', 'All fields are required!')
else:
try:
connect = mysql.connector.connect(host="localhost", user="root", password="somepassword123")
cursor = connect.cursor()
except:
messagebox.showerror('Error', 'Connection is not established, try again')
return
query = 'use users'
cursor.execute(query)
query = 'select \* from userdata where username=%s and password=%s'
cursor.execute(query, (UsernameEntry.get(), PasswordEntry.get()))
check = cursor.fetchone()
if check is not None: # Correct username and password
messagebox.showinfo('Welcome', 'Log In Successful')
else:
messagebox.showerror('Error', 'Invalid username or password')
attempts += 1
if attempts == max_attempts:
messagebox.showerror('Error', 'Too many failed login attempts \[3\]')
any help will be apprieitated thank you very much!
https://stackoverflow.com/questions/2572099/pythons-safest-method-to-store-and-retrieve-passwords-from-a-database – Kostas Nitaf Jan 11 '23 at 19:32