Gabe
Reputation: 1
How would I verify that user entered password is the same as the hashed password form database
When I run the code and enter a password that's old and hasn't been hashed it tells me that it is tuple which isn't the problem but when I try to verify a hashed password I get that my password is wrong so I wonder what's wrong with my code. I'm new to python and not super experienced with mysql but I think the problem lies at how I select the hashed password and do the if statement.
'''
from flask import Flask, render_template, request, redirect, url_for, session
from flask_mysqldb import MySQL
from passlib.hash import sha256_crypt
import MySQLdb.cursors
import re
import hashlib
import os
salt = os.urandom(32)
app = Flask(__name__)
app.secret_key = 'ý{Hå<\x95ùã\x96.5Ñ\x01O<!Õ¢\xa0\x9fR"¡¨'
# Enter your database connection details below
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = ''
app.config['MYSQL_DB'] = 'pythonlogin'
# Intialize MySQL
mysql = MySQL(app)
@app.route('/pythonlogin/', methods=['GET', 'POST'])
def login():
# Output message if something goes wrong...
msg = ''
# Check if "username" and "password" POST requests exist (user submitted form)
if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
# Create variables for easy access
username = request.form['username']
password = request.form['password']
# Check if account exists using MySQL
cursor = mysql.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute('SELECT * FROM accounts WHERE username = %s AND password = %s', (username, password,))
# Fetch one record and return result
account = cursor.fetchone()
hashedPass = ('SELECT password FROM accounts WHERE username = %s', (username))
# If account exists in accounts table in out database
if account and sha256_crypt.verify(password, hashedPass):
# Create session data, we can access this data in other routes
session['loggedin'] = True
session['id'] = account['id']
session['username'] = account['username']
# Redirect to home page
return redirect(url_for('home'))
else:
# Account doesnt exist or username/password incorrect
msg = 'Incorrect username/password!'
# Show the login form with message (if any)
return render_template('index.html', msg=msg)
''' This above is where I believe the problem is hashtags/comments are because I've followed a tutorial to learn and now I try to build onto it which is where I'm now stuck
This is how I hash it and I believe that's it's done correctly: '''
@app.route('/pythonlogin/register', methods=['GET', 'POST'])
def register():
# Output message if something goes wrong...
msg = ''
# Check if "username", "password" and "email" POST requests exist (user submitted form)
if request.method == 'POST' and 'username' in request.form and 'password' in request.form and 'email' in request.form:
# Create variables for easy access
username = request.form['username']
password = sha256_crypt.encrypt(request.form['password']) #Sha 256 encryptering med hash och salt
email = request.form['email']
# Check if account exists using MySQL
cursor = mysql.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute('SELECT * FROM accounts WHERE username = %s', (username,))
account = cursor.fetchone()
# If account exists show error and validation checks
if account:
msg = 'Account already exists!'
elif not re.match(r'[^@]+@[^@]+\.[^@]+', email):
msg = 'Invalid email address!'
elif not re.match(r'[A-Za-z0-9]+', username):
msg = 'Username must contain only characters and numbers!'
elif not username or not password or not email:
msg = 'Please fill out the form!'
else:
# Account doesnt exists and the form data is valid, now insert new account into accounts table
cursor.execute('INSERT INTO accounts VALUES (NULL, %s, %s, %s)', (username, password, email,))
mysql.connection.commit()
msg = 'You have successfully registered!'
'''
I can see in the database that users gets registered with a hashed and salted password. Thanks for any help :)
Upvotes: 0
Views: 1127
Answers (1)
Gabe
Reputation: 1
Ok so I figured out how I should do the verification and now it works like butter:
cursor = mysql.connection.cursor(MySQLdb.cursors.DictCursor)
cursor.execute("SELECT * FROM accounts WHERE username = %s", (username,))
# Fetch one record and return result
account = cursor.fetchone()
validatePassword = sha256_crypt.verify(password, account['password'])
# If account exists in accounts table in out database
if account and validatePassword:
Correct me if I'm missing something but I believe it's done :)
Upvotes: 0
Related Questions
- How can i validate in python if a username and password already exist in mySQL Database?
- How do I check my database values for the correct username and pass?
- How to do password check with hash?
- How to check a hashed password against database
- password verify not working to compare hashed password with user entered password
- How do i verifying User password from mysql DB
- Verify input user password matches hashed password from database on login page c# asp.net
- How to password_verify() with hash from database
- Checking whether user entered username and password exists in MYSQL database
- How to verify password against database?