1

I am currently working on a project that requires a login system that can access information (username, password) through a database using sqlite3. Here is the current login system:

def UserLogin():
    un = admin
    pw = password

    try:
        statement = cur.execute("SELECT Username FROM Users")

        for row in statement:
            if un in row:
                print("%s" % un)
                pw_pas = cur.execute("SELECT Password FROM Users WHERE Username = %s" % (un))

                if (pw in pw_pas):
                    print("Welcome\n")

                elif pw not in pw_pas:
                    print("Password is incorrect")
                return
        print("Username is incorrect")
    except IOError:
        print("This process could not be executed")

    print("login successful")

The problem is that when I run the code I get an error message saying "sqlite3.OperationalError: no such column: admin". I have entered the username and password into the database but still get this error.

Please help

Improve this question
2
  • 5
    Congratulations! You've discovered SQL Injection. You have sent the word Admin without quotes, and it has been accepted as a column name in your query. A malicious user could use this 'feature' to access, change, or delete any data in your database. See the answer re: parameters. Commented Jul 10, 2017 at 10:43
  • xkcd.com/327 Commented Jul 14, 2017 at 12:23

1 Answer 1

Reset to default
3

Do not use string substitution for SQL statements. Use parameters.

cur.execute("SELECT Password FROM Users WHERE Username = ?", (un,))
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@JordanCorfield If you want to know why this is the right approach; I suggest you read up on common security flaws. the OWASP Top Ten is a great place to start. Good Luck.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.