1

I have a Database in python with 2 fields: Username and passHash. The DB is ok, i already checked and all the parameters are correct. Then i need an authentication system that will look each row for the username, if it finds, look the 2nd field for the password, if not the same as user-provided, return "pass incorrect". but the problem is: how can i do it so the system will loop through all the rows and when it finishes, it will return "User doesn't exists".. Because now it returns user not found in the first row searched, sounds freaking noob but let's go D:

Ps. using twisted and sqlite3

    def authenticate(self, username, password):
    playerDB.execute('''SELECT * FROM playerData''')
    for row in playerDB:
        if row[0] == username:
            if row[1] == password:
                if username in ADMIN_NAMES:
                    self.server.sendOutput("Admin authentication: %s" % username)
                    logging.info("Admin authentication: %s" % username)
                return "Authenticated"
            else:
                logging.info("Authentication Fail: %s" % username)
                return "Password doesn't matches username."

        else:
            return "This player doesn't exists."
Improve this question
2
  • 1
    Have you considered writing an SQL query other than a `SELECT * FROM playerData'''? Commented Jul 27, 2011 at 18:49
  • Sorry, i am begginer in SQL so i don't really know too much.. examples would be appreciated :) Commented Jul 27, 2011 at 19:00

3 Answers 3

Reset to default
3

From a security standpoint, you should not tell unauthenticated users that their username wasn't found, or that their username was found but the password didn't match.

By providing this information, you are giving potential attackers more information about the way they can attack.

If an attacker can try common usernames, and then try common passwords, he's not going to have to work nearly as hard, or try nearly as many combinations of username/password, before finding a match.

If instead, you just tell unauthenticated users the same message every time: "That username or password did not match" regardless of the reason why they have been refused authentication (weather they supplied an invalid username, an invalid password, or are being blocked because they triggered an abuse detector), then an attacker has no idea if they are getting closer to success, and will have to try passwords even on usernames that might not even exist.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Just move your second else clause out to the for loop instead of the outer if statement. If you get to the end of the loop without an error, break, or return, it will be executed.

Improve this answer

2 Comments

Worked like a charm, thanks for the simple answer, that was just what i needed! :D
Please click the check mark next to my answer if it solved your problem.
0 
result = playerDB.execute('''SELECT * FROM playerData WHERE Username='{0}' '''.format(username))
if len(result) == 1: # user found
else : # user not found
Improve this answer

1 Comment

Nah, but i need to know the username...and please if the answer was more simplified like the bit of code i proviced it would be easier to understand for me :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.