Committed by
GitHub
Merge pull request #5 from lycoriskang/main
Strengthen login security and prevent SQL injection issues
Showing
1 changed file
with
28 additions
and
11 deletions
| @@ -10,24 +10,41 @@ ub = Blueprint('user', | @@ -10,24 +10,41 @@ ub = Blueprint('user', | ||
| 10 | url_prefix='/user', | 10 | url_prefix='/user', |
| 11 | template_folder='templates') | 11 | template_folder='templates') |
| 12 | 12 | ||
| 13 | +# 密码加密函数 | ||
| 14 | +def hash_password(password: str, salt: str = 'XiaoXueQi2024') -> str: | ||
| 15 | + """ | ||
| 16 | + 使用 SHA256 对密码进行加盐哈希 | ||
| 17 | + :param password: 用户输入的密码 | ||
| 18 | + :param salt: 加盐值,默认值为 'XiaoXueQi2024' | ||
| 19 | + :return: 哈希后的密码 | ||
| 20 | + """ | ||
| 21 | + hash_with_salt = hashlib.sha256(salt.encode('utf-8')) | ||
| 22 | + hash_with_salt.update(password.encode('utf-8')) | ||
| 23 | + return hash_with_salt.hexdigest() | ||
| 13 | 24 | ||
| 14 | @ub.route('/login', methods=['GET', 'POST']) | 25 | @ub.route('/login', methods=['GET', 'POST']) |
| 15 | def login(): | 26 | def login(): |
| 27 | + """ | ||
| 28 | + 处理用户登录请求 | ||
| 29 | + :return: 登录页面或重定向到主页 | ||
| 30 | + """ | ||
| 16 | if request.method == 'GET': | 31 | if request.method == 'GET': |
| 17 | - return render_template('login_and_register.html') | ||
| 18 | - else: | 32 | + return render_template('login_and_register.html') # 显示登录页面 |
| 19 | 33 | ||
| 20 | - def filter_fn(user): | ||
| 21 | - hash_with_salt = hashlib.sha256('XiaoXueQi2024'.encode('utf-8')) | ||
| 22 | - hash_with_salt.update(request.form['password'].encode('utf-8')) | ||
| 23 | - return request.form[ | ||
| 24 | - 'username'] in user and hash_with_salt.hexdigest() in user | 34 | + # 提取表单数据 |
| 35 | + username = request.form.get('username', '').strip() | ||
| 36 | + password = hash_password(request.form.get('password', '').strip()) | ||
| 25 | 37 | ||
| 26 | - users = query('select * from user', [], 'select') | ||
| 27 | - login_success = list(filter(filter_fn, users)) | ||
| 28 | - if not len(login_success): return errorResponse('账号或密码错误') | 38 | + # 查询用户信息 |
| 39 | + user_query = 'SELECT * FROM user WHERE username = %s AND password = %s' | ||
| 40 | + users = query(user_query, [username, password], 'select') | ||
| 41 | + | ||
| 42 | + if not users: | ||
| 43 | + # 登录失败,返回登录页面并显示错误信息 | ||
| 44 | + return render_template('login_and_register.html', error='账号或密码错误', username=username) | ||
| 29 | 45 | ||
| 30 | - session['username'] = request.form['username'] | 46 | + # 登录成功,设置会话并重定向 |
| 47 | + session['username'] = username | ||
| 31 | return redirect('/page/home') | 48 | return redirect('/page/home') |
| 32 | 49 | ||
| 33 | 50 |
-
Please register or login to post a comment