I am trying to login from Phonegap app into my web2py app, what's wrong here?
50 views
Skip to first unread message
Steve Joe
Aug 26, 2016, 9:31:54 AM8/26/16
to web2py-users
IN PHONEGAP:
<form action="https://#someurl#.pythonanywhere.com/welcome/phonegap/login">
username:<br>
<input type="text" name="username" value="username">
<br>
Password:<br>
<input type="password" name="password" value="">
<br><br>
<input type="submit" value="Submit">
</form>
IN WEB2PY:
def login():
k="false"
if db(db.auth_user.username == request.vars.username and db.auth_user.password == request.vars.password).select():
k="true"
return locals()
and in view I can see:
<Storage {'username': 'shinchan', 'password': '1156'}> false
which means I got k as false.
The username and pasword are correct according to my database but I can't login. What should I do?
Niphlod
Aug 26, 2016, 10:00:41 AM8/26/16
to web2py-users
fortunately the password doesn't get stored in plain text on web2py :D You need to apply CRYPT() before comparing. Read more about that on the book.
Steve Joe
Aug 26, 2016, 10:08:40 AM8/26/16
to web...@googlegroups.com
db(db.auth_user.username == request.vars.username and db.auth_user.password == CRYPT(request.vars.password)).select()
if db(db.auth_user.username == request.vars.username and db.auth_user.password == CRYPT(digest_alg='md5')(request.vars.password)[0]).select():
Both of them don't work either.
Steve Joe
Aug 27, 2016, 5:20:01 AM8/27/16
to web2py-users
Anyone there? Anthony?
Kiran Subbaraman
Aug 27, 2016, 8:14:53 AM8/27/16
to web...@googlegroups.com
The book can help you:
http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators
You need to use the right operator in your query
You can also use the web2py debugger to figure out how your code works and values returned, at runtime.
You need to use the right operator in your query
You can also use the web2py debugger to figure out how your code works and values returned, at runtime.
________________________________________ Kiran Subbaraman http://subbaraman.wordpress.com/about/
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Steve Joe
Aug 28, 2016, 9:39:06 AM8/28/16
to web2py-users
db((db.auth_user.username == request.vars.username) & (db.auth_user.password == CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])).select()
this doesn't work at all too.
Massimo Di Pierro
Aug 28, 2016, 9:05:20 PM8/28/16
to web2py-users
This cannot be done. It is a feature not a bug. The purpose of the salt in the hashed password is to prevent brute force attacks to the database. What you are doing is the brute force attack.
The only way to do it is to select all records. Loop one by one and compare them with
encpwd = CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])
for row in db(..).select():
if row.password == encpwd: ....
I guess this is a ever more brute force attack.... It will be slow but may work on small databases.
Niphlod
Aug 29, 2016, 5:23:12 AM8/29/16
to web2py-users
technically though USERNAME is clear. so you need to query for username and just match the password with the crypted value.
Reply all
Reply to author
Forward
0 new messages