Python 与 SQLite 的身份验证问题
我有一个 python 数据库,有 2 个字段:用户名和 passHash。数据库没问题,我已经检查过并且所有参数都是正确的。然后我需要一个身份验证系统,该系统将在每一行中查找用户名,如果找到,则查找第二个字段中的密码,如果与用户提供的不同,则返回“通过不正确”。但问题是:我怎样才能做到这一点,以便系统将循环遍历所有行,当它完成时,它将返回“用户不存在”..因为现在它返回在搜索的第一行中找不到用户,听起来该死的菜鸟,但我们走吧 D:
Ps。使用twisted和sqlite3
def authenticate(self, username, password):
playerDB.execute('''SELECT * FROM playerData''')
for row in playerDB:
if row[0] == username:
if row[1] == password:
if username in ADMIN_NAMES:
self.server.sendOutput("Admin authentication: %s" % username)
logging.info("Admin authentication: %s" % username)
return "Authenticated"
else:
logging.info("Authentication Fail: %s" % username)
return "Password doesn't matches username."
else:
return "This player doesn't exists."
I have a Database in python with 2 fields: Username and passHash. The DB is ok, i already checked and all the parameters are correct. Then i need an authentication system that will look each row for the username, if it finds, look the 2nd field for the password, if not the same as user-provided, return "pass incorrect". but the problem is: how can i do it so the system will loop through all the rows and when it finishes, it will return "User doesn't exists".. Because now it returns user not found in the first row searched, sounds freaking noob but let's go D:
Ps. using twisted and sqlite3
def authenticate(self, username, password):
playerDB.execute('''SELECT * FROM playerData''')
for row in playerDB:
if row[0] == username:
if row[1] == password:
if username in ADMIN_NAMES:
self.server.sendOutput("Admin authentication: %s" % username)
logging.info("Admin authentication: %s" % username)
return "Authenticated"
else:
logging.info("Authentication Fail: %s" % username)
return "Password doesn't matches username."
else:
return "This player doesn't exists."
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
从安全角度来看,您不应该告诉未经身份验证的用户未找到他们的用户名,或者找到了他们的用户名但密码不匹配。
通过提供此信息,您可以向潜在攻击者提供有关其攻击方式的更多信息。
如果攻击者可以尝试常见的用户名,然后尝试常见的密码,那么他在找到匹配项之前就不必付出同样的努力,或者尝试尽可能多的用户名/密码组合。
相反,如果您只是每次都告诉未经身份验证的用户相同的消息:“该用户名或密码不匹配”,无论他们被拒绝身份验证的原因(无论他们提供了无效的用户名、无效的用户名、无效的用户名或密码),密码,或者因为触发了滥用检测器而被阻止),那么攻击者不知道他们是否接近成功,并且即使对于可能不存在的用户名也必须尝试密码。
From a security standpoint, you should not tell unauthenticated users that their username wasn't found, or that their username was found but the password didn't match.
By providing this information, you are giving potential attackers more information about the way they can attack.
If an attacker can try common usernames, and then try common passwords, he's not going to have to work nearly as hard, or try nearly as many combinations of username/password, before finding a match.
If instead, you just tell unauthenticated users the same message every time: "That username or password did not match" regardless of the reason why they have been refused authentication (weather they supplied an invalid username, an invalid password, or are being blocked because they triggered an abuse detector), then an attacker has no idea if they are getting closer to success, and will have to try passwords even on usernames that might not even exist.
只需将第二个
else子句移至for循环而不是外部if语句即可。如果到达循环末尾且没有错误、中断或返回,则它将被执行。Just move your second
elseclause out to theforloop instead of the outerifstatement. If you get to the end of the loop without an error, break, or return, it will be executed.