1

I am creating a login application using Flask-mysql.

from flask import Flask, jsonify, request, json
from flask_mysqldb import MySQL
from datetime import datetime
from flask_cors import CORS
from flask_bcrypt import Bcrypt
from flask_jwt_extended import JWTManager
from flask_jwt_extended import (create_access_token, create_refresh_token, jwt_required, jwt_refresh_token_required, get_jwt_identity, get_raw_jwt)
import yaml

app = Flask(__name__)
alogin = yaml.load(open('alogin.yaml'))
app.config['MYSQL_HOST']= alogin['mysql_host']
app.config['MYSQL_USER']= alogin['mysql_user']
app.config['MYSQL_PASSWORD']= alogin['mysql_password']
app.config['MYSQL_DB']= alogin['mysql_db']
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
app.config['JWT_SECRET_KEY'] = 'secret'

mysql = MySQL(app)
bcrypt = Bcrypt(app)
jwt = JWTManager(app)

CORS(app)

@app.route('/alogin', methods=['POST'])
def login():
    cur = mysql.connection.cursor()
    email = request.get_json()['email']
    password = request.get_json()['password']
    result = ""
    
    cur.execute("SELECT * FROM admin where email = '" + str(email) + "'")
    rv = cur.fetchone()
    
    if bcrypt.check_password_hash(rv['password'], password):
        access_token = create_access_token(identity = {'id':rv['id'],'email': rv['email']})
        result = jsonify({"token":access_token})
    else:
        result = jsonify({"error":"Invalid username and password"})
    
    return result


if __name__ == '__main__':
    app.run(debug=True)

I am getting the the error as follows:

if bcrypt.check_password_hash(rv['password'], password):
TypeError: 'NoneType' object is not subscriptable

I have tried using 'force=True' in

    email = request.get_json(force = True)['email']
    password = request.get_json(force = True)['password']

Yet it is throwing the same error. This is my first application with flask. Help will be appreciated.

PS : admin is the name of the table in the database and I have already created it in the mysql database.

Improve this question
2
  • 3
    What if my email is '; DROP TABLE admin --? Commented Aug 3, 2020 at 9:25
  • 2
    And while the above is annoying, a more insidious user would send something like "notfound' UNION SELECT 1 AS id, CONCAT(GROUP_CONCAT(email SEPARATOR ','), ';', GROUP_CONCAT(CONVERT(password USING latin1) SEPARATOR ',')) AS email, X'<attacker-chosen-bcrypt-hash>' AS password FROM admin -- "@foo.bar to collect all your admin credentials – or anything from your DB for that matter, they could read from any which table they want. The moral of the story is: use placeholders in your query and pass the values to execute() separately. Commented Aug 3, 2020 at 12:57

1 Answer 1

Reset to default
2

fetchone() will return None if the query doesn't result in data. Add an

if rv is None:

check to handle the case of someone providing an email address that isn't in the database.

Also, take a moment and look up "SQL Injection Attack".

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.