Reputation: 1
Searching for user input variable (string) in SQLite using python
I am trying to search for a username in a table and subsequently find that users password and check it against input so far I have...
def check():
username = logEntry.get()
password = passEntry.get()
curs.execute("SELECT * FROM logins WHERE username = VALUES (?);", (username))
userExists = curs.fetchone()
if userExists:
curs.execute("SELECT * FROM logins WHERE password = VALUES (?);",(password))
passExists = curs.fetchone()
if passExists:
controller.show_frame(look)
else:
errorLabel.place(x=0, y=0)
logButton = tk.Button(self, text="Login", command=check)
logButton.place(x=320, y=120)
regButton = tk.Button(self, text="Registration For New Users",
command=lambda: controller.show_frame(Register))
regButton.place(x=110, y=120)
Any help or suggestions would be much appreciated :)
Updated: I am now having trouble with an error saying that column username does not exist, here is what I have so far. @antti-haapala
def check():
username = logEntry.get()
password = passEntry.get()
cursor.execute("SELECT username, password" "FROM logins WHERE username = ?",(username))
resultrow = cursor.fetchone()
if resultrow is not None:
db_username, db_password = resultrow
if username == db_username and password == db_password:
controller.show_frame(look)
Upvotes: 0
Views: 3462
Answers (1)
Reputation: 134066
Your code is faulty. Even if this is really a Tkinter program, and the password checks do not really add to any security, the following should be noted for all readers might not be aware of the implications in your code:
This kind of program would first for the existence of any user with the given username, then it would check for the existence of any user with the given password, these need not be the same. If you'd use this kind of code in production, I could get into admin account by changing my unrelated user account password to a and logging in with admin:a.
Try something like this instead to ensure that the password that you check belongs to the very user you are checking:
results = cursor.execute("SELECT username, password "
"FROM logins WHERE username = ?", (username,))
resultrow = cursor.fetchone()
if resultrow is not None:
db_user, db_password = resultrow
if username == db_user and password == db_password:
controller.show_frame(look)
And do note that storing plain-text passwords is frowned upon; it is preferable to encrypt these with one-way salted password hashing scheme; for example passlib (PyPI) is a good choice.
Upvotes: 2
Related Questions
- Searching IN list in python + sqlite3
- How do I search for a part of a string in sqlite3?
- Python sqlite user input search
- Searching for a keyword, inputted by the user using sqlite3 and python 3.7
- Searching SQLite Database with Python Variables
- how do I search with a variable in sqlite in python
- Search user input
- Using variables to search using sql
- Search SQLite3 database using a Python variable
- Trying to search a column on SQLite Python so that it only returns the information searched