python - Authenticating on Web.py - will this code be unsafe for production? -

-

i making simple web-app requires login admin page. came across incantation on web.py site (http://webpy.org/cookbook/userauth) :

import hashlib import web      def post(self):     = web.input()      authdb = sqlite3.connect('users.db')     pwdhash = hashlib.md5(i.password).hexdigest()     check = authdb.execute('select * users username=? , password=?', (i.username, pwdhash))     if check:          session.loggedin = true         session.username = i.username         raise web.seeother('/results')        else: return render.base("those login details don't work.")

however page gives ominous warning: "do not use code on real site - illustration.". wondering if there major holes in this, i'm unfamiliar web-programming wanted make sure using code wont unwittingly make app open trivial attack vectors?

many thanks

the possible problem can think of here, if somehow possible exploit md5 collisions, i.e. 2 different strings can generate same md5 hash - in case potentially log in password not correct, generates same md5 hash.

changing better hashing algorithm such sha-1 (or else available in hashlib) close potential security problem.

as far know, difficult exploit md5 collision problem gain access. so, broken, , quoting security guru bruce schneier wikipedia article:

[he] wrote of attack "[w]e knew md5 broken hash function" , "no 1 should using md5 anymore."


Comments

Post a Comment

Popular posts from this blog

ASP.NET/SQL find the element ID and update database -

-
basically i've got update query runs when click submit button. i have asp:repeater in page layer inside this <asp:repeater id="dgbookings" runat="server" onitemdatabound="itemdb"> <itemtemplate> <div class="bookingscontent"> <div class="bookingdetails" id="<%# databinder.eval(container.dataitem, "booking_ref") %>"> <p class="infotext"><%# databinder.eval(container.dataitem, "adults") %> <asp:linkbutton onclick="editdetails" text="edit..." runat="server"></asp:linkbutton></p> <p class="infotext"><asp:linkbutton onclick="submitdetails" text="submit..." runat="server"></asp:linkbutton></p> </div> </div> </itemtemplate> <asp:repeater> and outputs ...
Read more

jquery - appear modal windows bottom -

-
i have modal windows in application, work fine <div id="modal" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="mymodallabel" aria-hidden="true"> but when modal appears, appear top of windows, , want appear bottom the application joomla 3.0! , using template of meet gavern any idea? i found solution i modified de css in bootstrap .modal.fade { top:-25%; -webkit-transition:opacity .3s linear, bottom .3s ease-out; -moz-transition:opacity .3s linear, bottom .3s ease-out; -ms-transition:opacity .3s linear, bottom .3s ease-out; -o-transition:opacity .3s linear, bottom .3s ease-out; transition:opacity .3s linear, bottom .3s ease-out; }
Read more

c++ - Compiling static TagLib 1.6.3 libraries for Windows -

-
i having super hard time compiling , using taglib 1.6.3 in qt project. i've tried can think of. taglib claims supported through cmake i'm not having luck. furthermore, i'm confused kinds of files need qt libs! i've built *.a files, *.lib, , *.dll. understand far... believe since i'm working in windows *.lib want. no matter do, end "undefined references" taglib functions try use when try compile qt project. have tried mingw32, msys, visual studio 2008, , cross-compiling windows on linux. turning nothing. what makes less sense me if compile same taglib source qt on mac (g++ think?) works fine! somewhere in windows compilation procedures have going wrong. have been smacking face on desk 30 (on , off) hours trying figure out. since qt uses mingw must compile taglib same compiler? if compile *.lib's visual studio not compatible? are *.a libraries usable in windows? (assuming mingw) i'm still trying handle on c++ stuff, after reading coun...
Read more