Re: [web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Niphlod]

technically though USERNAME is clear. so you need to query for username and 
just match the password with the crypted value.

On Monday, August 29, 2016 at 3:05:20 AM UTC+2, Massimo Di Pierro wrote:
>
> This cannot be done. It is a feature not a bug. The purpose of the salt in 
> the hashed password is to prevent brute force attacks to the database. What 
> you are doing is the brute force attack.
>
> The only way to do it is to select all records. Loop one by one and 
> compare them with 
>
> encpwd = 
> CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])
> for row in db(..).select(): 
> if row.password == encpwd: 
>
> I guess this is a ever more brute force attack It will be slow but may 
> work on small databases.
>
>
>
>
> On Sunday, 28 August 2016 08:39:06 UTC-5, Steve Joe wrote:
>>
>> db((db.auth_user.username == request.vars.username) & 
>> (db.auth_user.password == 
>> CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])).select()
>> this doesn't work at all too.
>>
>> On Saturday, August 27, 2016 at 5:44:53 PM UTC+5:30, Kiran Subbaraman 
>> wrote:
>>>
>>> The book can help you: 
>>> http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators
>>> You need to use the right operator in your query
>>> You can also use the web2py debugger to figure out how your code works 
>>> and values returned, at runtime.
>>>
>>> 
>>> Kiran Subbaramanhttp://subbaraman.wordpress.com/about/
>>>
>>> On Sat, 27-08-2016 2:50 PM, Steve Joe wrote:
>>>
>>> Anyone there? Anthony?
>>>
>>> On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote: 

 *db(db.auth_user.username == request.vars.username and 
 db.auth_user.password == CRYPT(request.vars.password)).select()*


 *if db(db.auth_user.username == request.vars.username and 
 db.auth_user.password == 
 CRYPT(digest_alg='md5')(request.vars.password)[0]).select(): * 

 Both of them don't work either. 

 On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote: 
>
> fortunately the password doesn't get stored in plain text on web2py :D 
> You need to apply CRYPT() before comparing. Read more about that on the 
> book.
>
> On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote: 
>>
>> IN PHONEGAP: 
>>
>> https://#someurl#.
>> pythonanywhere.com/welcome/phonegap/login">
>>   username:
>>   
>>   
>>   Password:
>>   
>>   
>>   
>> 
>>
>>
>> IN WEB2PY:
>>
>> def login():
>> k="false"
>> if db(db.auth_user.username == request.vars.username and 
>> db.auth_user.password == request.vars.password).select():
>> k="true"
>> return locals()
>>
>> and in view I can see:
>>
>>  false 
>> which means I got k as false.
>>
>> The username and pasword are correct according to my database but I 
>> can't login. What should I do?
>>
> -- 
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "web2py-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to web2py+un...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Massimo Di Pierro]

This cannot be done. It is a feature not a bug. The purpose of the salt in 
the hashed password is to prevent brute force attacks to the database. What 
you are doing is the brute force attack.

The only way to do it is to select all records. Loop one by one and compare 
them with 

encpwd = 
CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])
for row in db(..).select(): 
if row.password == encpwd: 

I guess this is a ever more brute force attack It will be slow but may 
work on small databases.




On Sunday, 28 August 2016 08:39:06 UTC-5, Steve Joe wrote:
>
> db((db.auth_user.username == request.vars.username) & 
> (db.auth_user.password == 
> CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])).select()
> this doesn't work at all too.
>
> On Saturday, August 27, 2016 at 5:44:53 PM UTC+5:30, Kiran Subbaraman 
> wrote:
>>
>> The book can help you: 
>> http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators
>> You need to use the right operator in your query
>> You can also use the web2py debugger to figure out how your code works 
>> and values returned, at runtime.
>>
>> 
>> Kiran Subbaramanhttp://subbaraman.wordpress.com/about/
>>
>> On Sat, 27-08-2016 2:50 PM, Steve Joe wrote:
>>
>> Anyone there? Anthony?
>>
>> On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote: 
>>>
>>> *db(db.auth_user.username == request.vars.username and 
>>> db.auth_user.password == CRYPT(request.vars.password)).select()*
>>>
>>>
>>> *if db(db.auth_user.username == request.vars.username and 
>>> db.auth_user.password == 
>>> CRYPT(digest_alg='md5')(request.vars.password)[0]).select(): * 
>>>
>>> Both of them don't work either. 
>>>
>>> On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote: 

 fortunately the password doesn't get stored in plain text on web2py :D 
 You need to apply CRYPT() before comparing. Read more about that on the 
 book.

 On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote: 
>
> IN PHONEGAP: 
>
> https://#someurl#.
> pythonanywhere.com/welcome/phonegap/login">
>   username:
>   
>   
>   Password:
>   
>   
>   
> 
>
>
> IN WEB2PY:
>
> def login():
> k="false"
> if db(db.auth_user.username == request.vars.username and 
> db.auth_user.password == request.vars.password).select():
> k="true"
> return locals()
>
> and in view I can see:
>
>  false 
> which means I got k as false.
>
> The username and pasword are correct according to my database but I 
> can't login. What should I do?
>
 -- 
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to web2py+un...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Steve Joe]

db((db.auth_user.username == request.vars.username) & 
(db.auth_user.password == 
CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])).select()
this doesn't work at all too.

On Saturday, August 27, 2016 at 5:44:53 PM UTC+5:30, Kiran Subbaraman wrote:
>
> The book can help you: 
> http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators
> You need to use the right operator in your query
> You can also use the web2py debugger to figure out how your code works and 
> values returned, at runtime.
>
> 
> Kiran Subbaramanhttp://subbaraman.wordpress.com/about/
>
> On Sat, 27-08-2016 2:50 PM, Steve Joe wrote:
>
> Anyone there? Anthony?
>
> On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote: 
>>
>> *db(db.auth_user.username == request.vars.username and 
>> db.auth_user.password == CRYPT(request.vars.password)).select()*
>>
>>
>> *if db(db.auth_user.username == request.vars.username and 
>> db.auth_user.password == 
>> CRYPT(digest_alg='md5')(request.vars.password)[0]).select(): * 
>>
>> Both of them don't work either. 
>>
>> On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote: 
>>>
>>> fortunately the password doesn't get stored in plain text on web2py :D 
>>> You need to apply CRYPT() before comparing. Read more about that on the 
>>> book.
>>>
>>> On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote: 

 IN PHONEGAP: 

 https://#someurl#.
 pythonanywhere.com/welcome/phonegap/login">
   username:
   
   
   Password:
   
   
   
 


 IN WEB2PY:

 def login():
 k="false"
 if db(db.auth_user.username == request.vars.username and 
 db.auth_user.password == request.vars.password).select():
 k="true"
 return locals()

 and in view I can see:

  false 
 which means I got k as false.

 The username and pasword are correct according to my database but I 
 can't login. What should I do?

>>> -- 
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> --- 
> You received this message because you are subscribed to the Google Groups 
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to web2py+un...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Kiran Subbaraman]

The book can help you: 
http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators

You need to use the right operator in your query
You can also use the web2py debugger to figure out how your code works 
and values returned, at runtime.



Kiran Subbaraman
http://subbaraman.wordpress.com/about/

On Sat, 27-08-2016 2:50 PM, Steve Joe wrote:

Anyone there? Anthony?

On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote:

*db(db.auth_user.username == request.vars.username and
db.auth_user.password == CRYPT(request.vars.password)).select()*
*
*
*if db(db.auth_user.username == request.vars.username and
db.auth_user.password ==
CRYPT(digest_alg='md5')(request.vars.password)[0]).select():
*

Both of them don't work either.

On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote:

fortunately the password doesn't get stored in plain text on
web2py :D You need to apply CRYPT() before comparing. Read
more about that on the book.

On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote:

IN PHONEGAP:

https://#someurl#.pythonanywhere.com/welcome/phonegap/login
">
username:


Password:






IN WEB2PY:

def login():
k="false"
if db(db.auth_user.username == request.vars.username
and db.auth_user.password == request.vars.password).select():
k="true"
return locals()

and in view I can see:

 false
which means I got k as false.

The username and pasword are correct according to my
database but I can't login. What should I do?

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google 
Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to web2py+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Steve Joe]

Anyone there? Anthony?

On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote:
>
> *db(db.auth_user.username == request.vars.username and 
> db.auth_user.password == CRYPT(request.vars.password)).select()*
>
>
> *if db(db.auth_user.username == request.vars.username and 
> db.auth_user.password == 
> CRYPT(digest_alg='md5')(request.vars.password)[0]).select():*
>
> Both of them don't work either. 
>
> On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote:
>>
>> fortunately the password doesn't get stored in plain text on web2py :D 
>> You need to apply CRYPT() before comparing. Read more about that on the 
>> book.
>>
>> On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote:
>>>
>>> IN PHONEGAP:
>>>
>>> https://#someurl#.
>>> pythonanywhere.com/welcome/phonegap/login">
>>>   username:
>>>   
>>>   
>>>   Password:
>>>   
>>>   
>>>   
>>> 
>>>
>>>
>>> IN WEB2PY:
>>>
>>> def login():
>>> k="false"
>>> if db(db.auth_user.username == request.vars.username and 
>>> db.auth_user.password == request.vars.password).select():
>>> k="true"
>>> return locals()
>>>
>>> and in view I can see:
>>>
>>>  false 
>>> which means I got k as false.
>>>
>>> The username and pasword are correct according to my database but I 
>>> can't login. What should I do?
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Steve Joe]

*db(db.auth_user.username == request.vars.username and 
db.auth_user.password == CRYPT(request.vars.password)).select()*

This also doesn't work either. 

On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote:
>
> fortunately the password doesn't get stored in plain text on web2py :D You 
> need to apply CRYPT() before comparing. Read more about that on the book.
>
> On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote:
>>
>> IN PHONEGAP:
>>
>> https://#someurl#.pythonanywhere.com/welcome/phonegap/login
>> ">
>>   username:
>>   
>>   
>>   Password:
>>   
>>   
>>   
>> 
>>
>>
>> IN WEB2PY:
>>
>> def login():
>> k="false"
>> if db(db.auth_user.username == request.vars.username and 
>> db.auth_user.password == request.vars.password).select():
>> k="true"
>> return locals()
>>
>> and in view I can see:
>>
>>  false 
>> which means I got k as false.
>>
>> The username and pasword are correct according to my database but I can't 
>> login. What should I do?
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: I am trying to login from Phonegap app into my web2py app, what's wrong here?

[Niphlod]

fortunately the password doesn't get stored in plain text on web2py :D You 
need to apply CRYPT() before comparing. Read more about that on the book.

On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote:
>
> IN PHONEGAP:
>
> https://#someurl#.pythonanywhere.com/welcome/phonegap/login
> ">
>   username:
>   
>   
>   Password:
>   
>   
>   
> 
>
>
> IN WEB2PY:
>
> def login():
> k="false"
> if db(db.auth_user.username == request.vars.username and 
> db.auth_user.password == request.vars.password).select():
> k="true"
> return locals()
>
> and in view I can see:
>
>  false 
> which means I got k as false.
>
> The username and pasword are correct according to my database but I can't 
> login. What should I do?
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.