sqlite 怎么可能有人在此登录代码上尝试SQL注入攻击?[已关闭]

uqdfh47h  于 2023-01-13  发布在  SQLite
关注(0)|答案(1)|浏览(165)
    • 已关闭**。此问题为opinion-based。当前不接受答案。
    • 想要改进此问题吗?**请更新此问题,以便editing this post可以用事实和引文来回答。

6天前关闭。
Improve this question
我不知道很多关于SQL注入和好奇,看看人们有什么说,他们可能如何获得登录到一个管理员帐户,例如说管理员用户名是'管理员',希望我可以从中学习一点关于SQL注入如何工作和方法,以防止人们执行注入。

from email_validator import validate_email, EmailNotValidError
import sqlite3
from cryptography.fernet import Fernet
import csv
from tkinter import *
import tkinter as tk
from tkinter import messagebox

#open text file
with open ("key.txt", "r") as csvfile:
    reader = csv.reader(csvfile)
    keyFound = 0
    #checks for key
    for row in reader:
        try:
            print(row[0])
        except IndexError:
            continue
        if len(row[0]) > 4:
            keyFound = 1
            Key = row[0]
        else:
            pass
#if no key found one is created and written into the file
if keyFound == 0:
    Key = Fernet.generate_key()
    csvfile.close
if keyFound == 0:
    with open ("key.txt", "w") as csvfile:
        header = ['key']
        writer = csv.DictWriter(csvfile, fieldnames = header)
        writer.writeheader()
        writer.writerow({'key': Key.decode('utf-8')})
        csvfile.close()
#assigns the key
crypt = Fernet(Key)
csvfile.close()

# creates data base for user data
connect = sqlite3.connect('users') 
cursor = connect.cursor()
cursor.execute('''
CREATE TABLE IF NOT EXISTS users ([username] TEXT PRIMARY KEY, [firstname] TEXT, [lastname] TEXT, [email] TEXT, [password] TEXT)
''')
connect.commit()

root = tk.Tk()
root.title("")
root.geometry("400x500+290+10")
frame = tk.Frame(root)
frame.pack()

def loginFunc():
  root.destroy()
  login = tk.Tk()
  login.title("Login")
  login.geometry("400x500+290+10")
  frame2 = tk.Frame(login)
  frame2.pack()

  def loginCheck():
    username = entry1.get()
    password = entry2.get ()
    error = False

    # Query the database for the user with the specified email
    userData = '''SELECT * FROM users WHERE `username` = ?'''
    inputs = (username,)
    cursor.execute(userData, inputs)
    userRow = cursor.fetchone()

    # If the user exists, check if the password entered by the user matches the encrypted password in the database
    if userRow is not None:
      userPass = str(userRow[4])
      passStrip = userPass.strip("b'")
      b = bytes(passStrip, 'utf-8')
      passDecrypt = str(crypt.decrypt(b))
      passDecrypt = passDecrypt.strip("b'")
      if passDecrypt == password:
        pass
      else:
        messagebox.showinfo('', "incorrect password")
        error = True
    else:
      messagebox.showinfo('', "incorrect username")
      error = True
    
    if error == False:
      login.destroy()

  usernameLabel = tk.Label(login, text="Username:",width=20,font=("bold", 10))  
  usernameLabel.place(x=80,y=130)  
  entry1 = Entry(login)  
  entry1.place(x=250,y=135)

  passwordLabel = tk.Label(login, text="Password:",width=20,font=("bold", 10))  
  passwordLabel.place(x=80,y=170)
  entry2 = Entry(login)  
  entry2.place(x=250,y=175)

  enterButton = tk.Button(login, text="Login",width=20,font=("bold", 10), command=loginCheck)  
  enterButton.place(x=115,y=335)  

  login.mainloop()

def signupFunc():
  root.destroy()
  signup = tk.Tk()
  signup.title("Sign Up")
  signup.geometry("400x500+290+10")
  frame3 = tk.Frame(signup)
  frame3.pack()

  def createUser():
    #getting the data inputted into the entry text boxes and assigning to variables
    username = entry1.get()
    firstname = entry2.get()
    lastname = entry3.get()
    email = entry4.get()
    password = entry5.get()

    error = False
    #takes input for username and checks it is alphanumeric, username will also act as primary key so a validation for it being unique will occur
    #check if username is alphanumeric or has enough characters
    if len(username) < 3:
      messagebox.showinfo('', "Username not long enough!")
      error = True
    else:
      pass

    #check for if the username is unique
    uniqueUserCheck = '''SELECT * FROM users WHERE `username` = ?'''
    cursor.execute(uniqueUserCheck, [username])
    user = cursor.fetchone()
    # keep asking for a new username until the user enters a unique one
    if user is not None:
      messagebox.showinfo('', "This username is already taken, choose another")
      error = True
      cursor.execute(uniqueUserCheck, [username])
      user = cursor.fetchone()
    else:
      pass

    #takes input for first name and checks it is alphameric
    if firstname.isalpha() == False:
      messagebox.showinfo('', "Try enter first name again")
      error = True
    else:
      pass

    #takes input for last name and checks it is alphameric 
    if lastname.isalpha() == False:
      messagebox.showinfo('', "Try enter last name again")
      error = True
    else:
      pass

    #Using the email validator library, it will check that the email inputted fits the format, if not it will loop until it does
    i = 1
    if i == 1:
      try:
        email = validate_email(email).email
        i = 0
      except EmailNotValidError as x:
        messagebox.showinfo('', str(x))
        error = True
        i = 1
    else:
      pass

    #validates that the password meets required length
    if len(password) < 8:
      messagebox.showinfo("", "Password too short, has to be 8 characters or more")
      error = True
    else:
      pass
    # encrypt password using fernet
    b = bytes(password, 'utf-8')
    password_enc = crypt.encrypt(b)
    #runs function using data inputted as arguments

    if error == False:
      cursor.execute('''INSERT INTO users (username, firstname, lastname, email, password) VALUES(?, ?, ?, ?, ?)''', (username, firstname, lastname, email, password_enc))
      connect.commit()
      signup.destroy()
      loginFunc()

  usernameLabel = tk.Label(signup, text="Username:",width=20,font=("bold", 10))  
  usernameLabel.place(x=80,y=130)  
  entry1 = Entry(signup)  
  entry1.place(x=250,y=135)

  firstnameLabel = tk.Label(signup, text="Firstname:",width=20,font=("bold", 10))  
  firstnameLabel.place(x=80,y=170)
  entry2 = Entry(signup)  
  entry2.place(x=250,y=175)

  lastnameLabel = tk.Label(signup, text="Lastname:",width=20,font=("bold", 10))  
  lastnameLabel.place(x=80,y=210)  
  entry3 = Entry(signup)  
  entry3.place(x=250,y=215)

  emailLabel = tk.Label(signup, text="Email:",width=20,font=("bold", 10))  
  emailLabel.place(x=80,y=250)  
  entry4 = Entry(signup)  
  entry4.place(x=250,y=255)

  passwordLabel = tk.Label(signup, text="Password:",width=20,font=("bold", 10))  
  passwordLabel.place(x=80,y=290)  
  entry5 = Entry(signup)  
  entry5.place(x=250,y=295)

  enterButton = tk.Button(signup, text="Create User",width=20,font=("bold", 10), command=createUser) 
  enterButton.place(x=115,y=335)  
  
  signup.mainloop()

loginButton = tk.Button(root, text="Login", bg="#FFFFFF", font=("calibri", 12, "bold"), command=loginFunc)
loginButton.place(relx=0.5, rely=0.4, anchor=tk.CENTER)

signupButton = tk.Button(root, text="Sign Up", bg="#FFFFFF", font=("calibri", 12, "bold"), command=signupFunc)
signupButton.place(relx=0.5, rely=0.6, anchor=tk.CENTER)

root.mainloop()
sqlite

1条答案

按热度按时间
mwg9r5ms

mwg9r5ms1#

SQL注入不可能在此特定代码上进行,因为您使用了?占位符作为字符串输入,而不是直接内联替换SQL字符串。
您可能需要考虑将您的问题和代码减少到特定的内容,以便任何人都能给予特定的答案。

赞(0)分享  回复(0)举报  2023-01-13
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com