Update user.py
1,密码哈希:
将密码加盐哈希的逻辑抽取到 hash_password 函数中,提高代码复用性。
2,参数化查询:
使用参数化的 SQL 查询防止 SQL 注入攻击。
3表单字段获取:
使用 get 方法获取表单字段,并移除多余空格。
4,友好错误提示:
登录失败时,返回错误信息,并保留用户名以减少用户重新输入的负担。
This commit is contained in:
lycorisk
+30
-13
@@ -10,25 +10,42 @@ ub = Blueprint('user',
|
|||||||
url_prefix='/user',
|
url_prefix='/user',
|
||||||
template_folder='templates')
|
template_folder='templates')
|
||||||
|
|
||||||
|
# 密码加密函数
|
||||||
|
def hash_password(password: str, salt: str = 'XiaoXueQi2024') -> str:
|
||||||
|
"""
|
||||||
|
使用 SHA256 对密码进行加盐哈希
|
||||||
|
:param password: 用户输入的密码
|
||||||
|
:param salt: 加盐值,默认值为 'XiaoXueQi2024'
|
||||||
|
:return: 哈希后的密码
|
||||||
|
"""
|
||||||
|
hash_with_salt = hashlib.sha256(salt.encode('utf-8'))
|
||||||
|
hash_with_salt.update(password.encode('utf-8'))
|
||||||
|
return hash_with_salt.hexdigest()
|
||||||
|
|
||||||
@ub.route('/login', methods=['GET', 'POST'])
|
@ub.route('/login', methods=['GET', 'POST'])
|
||||||
def login():
|
def login():
|
||||||
|
"""
|
||||||
|
处理用户登录请求
|
||||||
|
:return: 登录页面或重定向到主页
|
||||||
|
"""
|
||||||
if request.method == 'GET':
|
if request.method == 'GET':
|
||||||
return render_template('login_and_register.html')
|
return render_template('login_and_register.html') # 显示登录页面
|
||||||
else:
|
|
||||||
|
|
||||||
def filter_fn(user):
|
# 提取表单数据
|
||||||
hash_with_salt = hashlib.sha256('XiaoXueQi2024'.encode('utf-8'))
|
username = request.form.get('username', '').strip()
|
||||||
hash_with_salt.update(request.form['password'].encode('utf-8'))
|
password = hash_password(request.form.get('password', '').strip())
|
||||||
return request.form[
|
|
||||||
'username'] in user and hash_with_salt.hexdigest() in user
|
|
||||||
|
|
||||||
users = query('select * from user', [], 'select')
|
# 查询用户信息
|
||||||
login_success = list(filter(filter_fn, users))
|
user_query = 'SELECT * FROM user WHERE username = %s AND password = %s'
|
||||||
if not len(login_success): return errorResponse('账号或密码错误')
|
users = query(user_query, [username, password], 'select')
|
||||||
|
|
||||||
session['username'] = request.form['username']
|
if not users:
|
||||||
return redirect('/page/home')
|
# 登录失败,返回登录页面并显示错误信息
|
||||||
|
return render_template('login_and_register.html', error='账号或密码错误', username=username)
|
||||||
|
|
||||||
|
# 登录成功,设置会话并重定向
|
||||||
|
session['username'] = username
|
||||||
|
return redirect('/page/home')
|
||||||
|
|
||||||
|
|
||||||
@ub.route('/register', methods=['GET', 'POST'])
|
@ub.route('/register', methods=['GET', 'POST'])
|
||||||
|
|||||||
Reference in New Issue
Block a user