technically though USERNAME is clear. so you need to query for username and just match the password with the crypted value.
On Monday, August 29, 2016 at 3:05:20 AM UTC+2, Massimo Di Pierro wrote: > > This cannot be done. It is a feature not a bug. The purpose of the salt in > the hashed password is to prevent brute force attacks to the database. What > you are doing is the brute force attack. > > The only way to do it is to select all records. Loop one by one and > compare them with > > encpwd = > CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0]) > for row in db(..).select(): > if row.password == encpwd: .... > > I guess this is a ever more brute force attack.... It will be slow but may > work on small databases. > > > > > On Sunday, 28 August 2016 08:39:06 UTC-5, Steve Joe wrote: >> >> db((db.auth_user.username == request.vars.username) & >> (db.auth_user.password == >> CRYPT(digest_alg='pbkdf2(1000,20,sha512)')(request.vars.password)[0])).select() >> this doesn't work at all too. >> >> On Saturday, August 27, 2016 at 5:44:53 PM UTC+5:30, Kiran Subbaraman >> wrote: >>> >>> The book can help you: >>> http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Logical-operators >>> You need to use the right operator in your query >>> You can also use the web2py debugger to figure out how your code works >>> and values returned, at runtime. >>> >>> ________________________________________ >>> Kiran Subbaramanhttp://subbaraman.wordpress.com/about/ >>> >>> On Sat, 27-08-2016 2:50 PM, Steve Joe wrote: >>> >>> Anyone there? Anthony? >>> >>> On Friday, August 26, 2016 at 7:38:40 PM UTC+5:30, Steve Joe wrote: >>>> >>>> *db(db.auth_user.username == request.vars.username and >>>> db.auth_user.password == CRYPT(request.vars.password)).select()* >>>> >>>> >>>> *if db(db.auth_user.username == request.vars.username and >>>> db.auth_user.password == >>>> CRYPT(digest_alg='md5')(request.vars.password)[0]).select(): * >>>> >>>> Both of them don't work either. >>>> >>>> On Friday, August 26, 2016 at 7:30:41 PM UTC+5:30, Niphlod wrote: >>>>> >>>>> fortunately the password doesn't get stored in plain text on web2py :D >>>>> You need to apply CRYPT() before comparing. Read more about that on the >>>>> book. >>>>> >>>>> On Friday, August 26, 2016 at 3:31:54 PM UTC+2, Steve Joe wrote: >>>>>> >>>>>> IN PHONEGAP: >>>>>> >>>>>> <form action="https://#someurl#. >>>>>> pythonanywhere.com/welcome/phonegap/login"> >>>>>> username:<br> >>>>>> <input type="text" name="username" value="username"> >>>>>> <br> >>>>>> Password:<br> >>>>>> <input type="password" name="password" value=""> >>>>>> <br><br> >>>>>> <input type="submit" value="Submit"> >>>>>> </form> >>>>>> >>>>>> >>>>>> IN WEB2PY: >>>>>> >>>>>> def login(): >>>>>> k="false" >>>>>> if db(db.auth_user.username == request.vars.username and >>>>>> db.auth_user.password == request.vars.password).select(): >>>>>> k="true" >>>>>> return locals() >>>>>> >>>>>> and in view I can see: >>>>>> >>>>>> <Storage {'username': 'shinchan', 'password': '1156'}> false >>>>>> which means I got k as false. >>>>>> >>>>>> The username and pasword are correct according to my database but I >>>>>> can't login. What should I do? >>>>>> >>>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
