Python login script help

[drumdogg]

Hi Guys, I'm new to python so apologies for any stupid bits of code.

So basically im trying to get a login script to work, which checks to see if that user is in the users table in the database. So if your name and password input matches database entry then proceed.

Not sure how to check the values against the database.

But here is what what i have got so far:

@route('/login')
def login_form():
	return template ('login.tpl')

@route('/checkLogin', method='post')
def login_submit():
        
	name = request.forms.get('name')
	password = request.forms.get('password')
	connect = sqlite3.connect('project1.db')
        cursor = connect.cursor()
        cursor.execute("SELECT name,password FROM users")
        connect.commit()
        cursor.close()
        connect.close()
        if((name==request.forms.get('name')) & (password==request.forms.get('password'))):
                return template('loggedIn.tpl', message='Successfully logged in!')
        else:
                return template('loggedIn.tpl', message='Unlucky! Try again.')

Currently it is displaying "Successfully logged in" no matter what i enter.
I know the if statement is wrong but not sure what to change it to.

Any suggestions folks

Thanks

 

[ChrisB]

Your seeing a success as your matching:

name = request.forms.get('name')
if name == request.forms.get('name')

Which will be true, same for password,

 

[drumdogg]

Ok, have got it working but it will only check the first name and password in the table instead of checking them all.

@route('/checkLogin', method='post')
def login_submit():
        
	name = request.forms.get('name')
	password = request.forms.get('password')
	connect = sqlite3.connect('project1.db')
        cursor = connect.cursor()
        cursor.execute("SELECT ALL name,password FROM users")
        result=cursor.fetchone()
	name=result[0]
	password=result[1]
        connect.commit()
        cursor.close()
        connect.close()
        if((name==request.forms.get('name')) & (password==request.forms.get('password'))):
                return template('loggedIn.tpl', message='Successfully logged in!')
        else:
                return template('loggedIn.tpl', message='Unlucky! Try again.')

 

[drumdogg]

Anyone??

Not sure how to loop through each one.

 

[geuben]

Anyone??

Not sure how to loop through each one.

If you can post an example of what result looks like (ie the data returned from the db query) then I can help you out.

 

[tidusjar]

Your seeing a success as your matching:

name = request.forms.get('name')
if name == request.forms.get('name')

Which will be true, same for password,

As Chris said,

name = request.forms.get('name')

If you are doing an If statement they are going to return true as you are assigning the value above and then basically checking if it's assigned correctly.

It's like doing

dog = 1
cat = 2

if dog == 1:
print "The dog is 1" #Always true as we assigned the value of 1 above.
elif cat == 2:
print "the cat is 2" #Will also be true but the first statement will proceed.
else:
print "the dog is not 1 and the cat is not 2"

 

[visibleman]

I'm confused by the query; is there a particular reason why you're pulling out all of the rows in the table?

Usually you'd pull out the row (in this case the password) associated to the input username, ie -

cursor.execute("SELECT password FROM users WHERE name=? LIMIT 1", name)

If no results are returned (use rowcount iirc) then the user doesn't exist and return a nondescript error; if there is a result then you grab the password and check it against what the user entered.

 

[drumdogg]

If you can post an example of what result looks like (ie the data returned from the db query) then I can help you out.

I am trying to get the names and passwords from the query in results. Currently results[0] is the name and results[1] is the password for the first entry.

If that's what you mean??

def login_submit():
	name = request.forms.get('name')
	password = request.forms.get('password')
	connect = sqlite3.connect('ytPlaylist_V3.db')
        cursor = connect.cursor()
        cursor.execute("SELECT name,password FROM users")
        result=cursor.fetchone()
        name=result[0]
        password=result[1]
        if((result[0]==request.forms.get('name')) & (result[1]==request.forms.get('password'))):
                return template('loggedIn.tpl', message='Successfully logged in!')
        else:
                return template('loggedIn.tpl', message='Unlucky! Try again.')

Thanks

 

[geuben]

I am trying to get the names and passwords from the query in results. Currently results[0] is the name and results[1] is the password for the first entry.

If that's what you mean??

Thanks

You want to loop over the data, in order to help you do that I need to know the format of the data. From what you've said it looks like its an array, with the name at the first element and the password at the 2nd, but without making any assumptions how are we to know where the next name & password are?

However I feel this is all moot, I think visibleman got it right with asking why are you getting all the usernames and passwords out of the database and not just the single entry for the name you are looking for.

 

[sb89]

I'm confused by the query; is there a particular reason why you're pulling out all of the rows in the table?

Usually you'd pull out the row (in this case the password) associated to the input username, ie -

cursor.execute("SELECT password FROM users WHERE name=? LIMIT 1", name)

If no results are returned (use rowcount iirc) then the user doesn't exist and return a nondescript error; if there is a result then you grab the password and check it against what the user entered.

This.

Your query is returning multiple (or none, depending on the contents of the table) rows. You want it to only return one.

 

[visibleman]

I've dabbled in Python, so apologises if this is incorrect. But you essentially want something like -

# Grab form Details (needs sanitising!!)
form_name = request.forms.get('name')
form_password = request.forms.get('password')

# Connect to DB
connect = sqlite3.connect('project1.db')
cursor = connect.cursor()

# Grab user's password from table
cursor.execute("SELECT password FROM users WHERE name=? LIMIT 1", (form_name))
result=cursor.fetchall()
	
# Does user exist?
if(len(result) != 1):
	# Doesn't exist
	return template('loggedIn.tpl', message='Unlucky! Try again.')
else:
	result_password=result[0]
	if(result_password==form_password):
		# Correct, login!
		return template('loggedIn.tpl', message='Successfully logged in!')
	else:
		# Wrong
		return template('loggedIn.tpl', message='Unlucky! Try again.')

# Cleanup
cursor.close()
connect.close()

From what i understand, rowcount isn't correctly implemented into SQLite hence the .fetchall() and checking it's length - but i'm sure there's a better way of doing this.

 

[drumdogg]

Getting the following error on the query - Incorrect number of bindings supplied. The current statement uses 1, and there a 4 supplied. If i change the (Name) to (Name,) the error goes away but it still displays the 'Unlucky' message.

 

[sb89]

Getting the following error on the query - Incorrect number of bindings supplied. The current statement uses 1, and there a 4 supplied. If i change the (Name) to (Name,) the error goes away but it still displays the 'Unlucky' message.

Would be much more helpful if we could see your code.

 

[drumdogg]

def login_submit():
	Name = request.forms.get('name')
	Password = request.forms.get('password')
	connect = sqlite3.connect('project1.db')
        cursor = connect.cursor()
        cursor.execute("SELECT password FROM users WHERE name=? LIMIT 1", (Name,))
        result=cursor.fetchall()
        if(len(result) != 1):
                return template('loggedIn.tpl', message='Unlucky! Try again.')
        else:
                result_password=result[0]
                if(result_password==Password):
		
                        return template('loggedIn.tpl', message='Successfully logged in!')
                else:
		
                        return template('loggedIn.tpl', message='Unlucky! Try again.')

        
        cursor.close()
        connect.close()

 

[visibleman]

Extra comma in the execute input......

Edit - Ignore. (Name,) is correct, without the comma it becomes an expression instead of a tuple.
I suspect the issue will be with the first IF statement; i'd print out the password and the length of result and see what you get.

 

[drumdogg]

Ok, printed out the len of result which is 1 and printed out password.

This is where i am getting confused now! The password that prints out is what I type into the password field. So i type in the correct password 'mikem' or if i type in '1234' it prints out.

Should it not be the password coming from the database that prints out?? (have been sitting at this too long!! lol)

 

[touch]

I'm not familiar with python, so i dont know how the results would be returned from the query. If it knows that you have only selected 1 field in the SELECT statement, it might come back as an array of strings. In which case, this line would be correct:

result_password=result[0]

But it might also return a list of objects with attributes (in your case, each one only has a single attribute), so you might need to do:

result_password=result[0][0]

ie select the first attribute from the first returned row.

 

[Amleto]

print result
print dir(result)

 

[drumdogg]

But it might also return a list of objects with attributes (in your case, each one only has a single attribute), so you might need to do:

result_password=result[0][0]

touch - changed it to the above and it is now working

Not quite sure why but at least now its working.

Thanks

 

[drumdogg]

Ok guys here is a different thing I would like an opinion on please.

How can I carry a variable through different routes in python like PHP used the SESSION variable. I would like to have the name of the user logged in held in a variable throughout a session in python.

Is that possible?

cheers