I'm basically making a Skype alternative in Python.
I'm making the login/register system,but I ran into some problems.
So I need to be able to connect to a mySQL database, but when viewing the code of the .py file, the person viewing the code can not be able to see the mySQL login information.
Because then they could just login to the database themselves, and mess everything up.
Anybody have any clue on how to do this?
EDIT
It's basically impossible to do what I want, so I'm just gonna make it so that you have to register through a website, and have logging in have read-only privileges to the database. SHA-256 should be pretty difficult for someone to crack, so I'll just encrypt everyones usernames and passwords.
Lock down access to the mySQL user ID used by the program so it can do only what it needs and nothing more. Perhaps interact via stored procedures only, and without permission to do anything directly (e.g. DROP tables, SELECT, INSERT, DELETE, etc.)
You can encrypt the password, but if someone has the program code, if the user ID isn't locked down they can still get into the database without knowing the password, just by changing what the Python program queries.
Related
I have a small Python project site where a visitor can practice writing SQL code. This code actually runs and returns values. I know that I need to prevent SQL injection, but I'm not sure the best approach since the purpose of the site is that users should be able to write and execute arbitrary SQL code against a real database.
What should I look to do to prevent malicious behavior? I want to prevent statements such as DROP xyz;, but users should still be able to execute code. I think maybe the ideal solution is that users can only "read" from the database, ie. they can only run SELECT statements (or variations). But I'm not sure if "read only" captures all edge cases of malicious behavior.
Need to prevent malicious SQL querying, but also need to allow users to execute code
Using SQLite now but will probably move to postgres
I'm strictly using SQL at this point but may want to add Python and other languages in the future
The site is built with Python (Flask)
Any ideas or suggestions would be helpful
There is no way to prevent SQL injection for a site that takes SQL statements as user input and runs them verbatim. The purpose of the site is SQL injection. The only way you can prevent SQL injection is to not develop this site.
If you do develop the site, how can you prevent malicious SQL? Answer: don't let malicious users have access to this site. Only allow trusted users to use it.
Okay, I assume you do want to develop the site and you do want to allow all users, without doing a lot of work to screen them.
Then it becomes a task of limiting the potential damage they can do. Restrict their privileges carefully, so they only have access to create objects and run queries in a specific schema.
Or better yet, launch a Docker container for each individual to have their own private database instance, and restrict the CPU and memory the container can use.
Is there a way to connect to MySQL DB with maybe RSA keys or by providing SHA-256 encrypted login and password in code? Because let's say we want to post our app publicly. Anyone who can decompile the app will see all the code including our login and password to the database.
I was wondering (purely theoretically) because If I wanted to implement some kind of codes system (like those from gift cards or PaySafeCards) to my app so the user could have like a premium membership or different feature and I wanted to store them in my database then someone could just decompile the app, steal the login and password that were in code, access the database, steal the codes and have the membership for free so how would I prevent a situation like that from happening?
You need to use environment variables. Check this website to learn more. You will use the os module and more specifically os.environ which returns a dictionary that contains all current environment variables.
If you want to publish your code on a public platform such as Github you can set private environment variables. Check here
I have been tasked with creating a simple HTML webpage to allow sysadmins to grant database permissions in a mysql instance (v 5.6.34).
Where I am stuck is that our security team wants the sysadmins to be able to enter a number of days, after which time the privs would be revoked -- I cannot seem to figure out a way to do this natively, from within the database (i.e. an expiration date of sorts), and have it happen automatically on said date. Is there a way to do this?
I do plan to script the events in Python, but I am pretty new there as well so if I am missing something simple please let me know.
I've heard that MongoDB is very good Database, especially for placing large data inside, However i'm not sure how safe can it really be.
I'm not experienced at MongoDB, but before i choose, i want to know how safe it can be for important data.
So for example, if i specified uri, i would type this:
uri = "mongodb://test1:test1#ds051990.mongolab.com:51990/base1"
I'm trying to make a P2P text chat, It can be accessed on user's PC with root permissions, Whenever user registers, User's Latest IP, Username and will be added to database, as code was shown below.
But the "Hacker" would easily access it by simply getting into code, and viewing all the information, then he would read/write all the data inside.
What would be the best solution to prevent this issue? I think high-level Databases like MongoDB would have some-kind of protection against other users accessing it.
How can make sure only necessary users can access database and other users can't enter it by viewing uri variable?
If not is there ANY other way i can do it? So user can't access Database at all, But i would read and write files from database.
You have no easy way of hiding the credentials. Instead, create a user with the minimal required permissions in the database, and use these credentials in your distributed code.
If you are worried about the users being able to see plain-text IP addresses, you should hash and salt them before inserting them to the database.
Im trying to send a simple email to do the password recover of a user, the input is just a email to send the new password..
But i can't... i get this error
SMTPServerDisconnected: please run connect() first
I already tried a few examples, like, https://bitbucket.org/andialbrecht/appengine_emailbackends/overview, but i get the same error
I really need this, maybe someone can tell me how to use an alternative to code in my view to send an email...Also i changed the backend to
EMAIL_BACKEND = 'djangoappengine.mail.EmailBackend'
but nothing,i don't know how to use this backend anyway :(
Plz Help :(
maybe someone can tell me how to use an alternative to code in my view to send an email...
I can help with this, seeing as it seems that perhaps this repository you're trying to use is based on an earlier version of App Engine and is throwing the error due to a required code change somewhere in the library - either that or the fact that you changed the string from what the library recommends (your version: 'djangoappengine.mail.EmailBackend') to a string that seems to not be correct, as it's different to what the author of the repository directed you to use (their version: 'appengine_emailbackend.EmailBackend'), and this is causing trouble.
Whenever possible, I'd recommend seeing if there is an "app-engine-y" way to do something, before going to a third-party library or deploying a module somebody else wrote to hack in third-party capabilities, or looking for an advanced/experimental feature (for example, use Datastore first, rather than remotely connecting to a MySQL VM, unless you need MySQL). If you absolutely need that library, this is a different story, but if you just want to send emails, the Mail API is what you need. It's a convenient way to send emails on App Engine.
I'm going to assume in the following that you are storing your user's usernames and hashed passwords in custom-defined User-kind entities in your Datastore. If you have your users using simple OAuth to sign into your site, there is never any reason to "reset/recover password":
Create the <form action="/some/route" action="POST"> element on
the page where the user requests password recovery.
Put the code responsible for handling this form submission (they will input their email, or whatever account info they need for your code to find their User entity in the Datastore in a handler that will respond on that route.
In the handler, generate a unique token and store it in the Datastore. Send the token in the email that you generate and send using the Mail API (see the example code in the link to the docs I provided). This will allow your user to return to your site, authenticate with the token from the email, and then fill out a form to create a new password. You will then hash this password (with a salt) and store it in their User entity in your Datastore.
I'm skipping over the details of how to implement a "password recovery form", given what I said about OAuth and that you are probably really only concerned with how to send mail. In the email you send, for example, you can insert a hyperlink to your site with the token already inserted as a query param, so that the user doesn't have to copy and paste, etc.