无法使用Python从postgreSQL数据库中检索散列密码

时间:2017-04-18 01:10:18

标签: python postgresql hash cgi

所以我在python cgi中编写了一个简单的登录脚本。它没有在localhost上工作(显示500错误),因此自己运行代码显示存在代码问题。代码如下:

#!/usr/bin/python2.7
import cgi
import cgitb
import hashlib
import psycopg2
from dbconfig import *
cgitb.enable()
print "Content-Type: text/html"


def checkPass():
    email = "person@gmail.com"
    password = "blahblah"
    password = hashlib.sha224(password.encode()).hexdigest()
    result = cursor.execute('SELECT * FROM logins WHERE email=%s passhash=%s') % (email, password)
    print str(result)


if __name__ == "__main__":
    conn_string = "host=%s dbname=%s user=%s password=%s" % (host, database, dbuser, dbpassword)
    conn = psycopg2.connect(conn_string)
    cursor = conn.cursor()
    checkPass()

程序卡住的行是postgre查询的cursor.execute。显示的错误如下:

Traceback (most recent call last):
  File "login.py", line 28, in <module>
    checkPass()
  File "login.py", line 20, in checkPass
    result = cursor.execute('SELECT * FROM logins WHERE email=%s passhash=%s') % (email, password)
ProgrammingError: syntax error at or near "passhash"
LINE 1: SELECT * FROM logins WHERE email=%s passhash=%s

应该指出它指向passhash。我尝试将查询直接输入psql控制台中的db:

SELECT * FROM logins WHERE passhash=storedhashedcode;

但是,这会返回有关不存在的散列名称列(即e342hefheh43hfhfhefherf ....等)的错误。我在这做错了什么?我唯一能想到的是哈希以不同的方式存储。

注意 - 这里是我用来存储密码等的代码,如果有帮助的话:

email = "person@gmail.com"
allpass = "blahblah"
password = hashlib.sha224(allpass.encode()).hexdigest()
cursor.execute('INSERT INTO logins (email, passhash) VALUES (%s, %s);', (email, password)) 
conn.commit()

非常感谢任何帮助!

更新:

根据Decly的建议,我已将查询更改为:

result = cursor.execute('SELECT * FROM logins WHERE email=%s AND passhash=%s') % (email, password)

现在产生错误:

ProgrammingError: column "s" does not exist
LINE 1: SELECT * FROM logins WHERE email=%s AND passhash=%s

因此出于某种原因显然使用s作为列。为什么不接受我的变量名?

1 个答案:

答案 0 :(得分:1)

在:

'SELECT * FROM logins WHERE email=%s passhash=%s'

您在布尔表达式中缺少AND:

'SELECT * FROM logins WHERE email=%s AND passhash=%s'

当您在psql中编写查询时,您缺少字符串文字的引号,因此postgresql推断列名称,您应该写:

SELECT * FROM logins WHERE passhash='storedhashedcode';

你也把把它放在错误的地方,python句子应该是:

result = cursor.execute('SELECT * FROM logins WHERE email= %s AND passhash= %s', (email, password))
相关问题
最新问题