Flask 数据安全
1、哈希加密用户密码
以用户注册登录为例
1.1、建立模型
模型
class User(db.Model):
id = db.Column(db.Integer, primary_key=True, autoincrement=True)
u_name = db.Column(db.String(16), unique=True)
u_password = db.Column(db.String(256))
迁移
python manage.py db migrate
python manage.py db upgrade
1.2、新建注册登录html
注册
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用户注册页面</title>
</head>
<body>
<form action="{{ url_for('blue.user_register') }}" method="post">
<span>用户名</span><input type="text" name="username" placeholder="请输入用户名">
<br>
<span>密码</span><input type="password" name="password" placeholder="请输入密码">
<br>
<button>注册</button>
</form>
</body>
</html>
登录
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用户注册页面</title>
</head>
<body>
<form action="{{ url_for('blue.user_login') }}" method="post">
<span>用户名</span><input type="text" name="username" placeholder="请输入用户名">
<br>
<span>密码</span><input type="password" name="password" placeholder="请输入密码">
<br>
<button>登录</button>
</form>
</body>
</html>
1.3、路由
@blue.route('/user/register/', methods=["GET", "POST"])
def user_register():
if request.method == "GET":
return render_template('UserRegister.html')
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
# 哈希加密用户密码
# from werkzeug.security import generate_password_hash
hash_pwd = generate_password_hash(password)
user = User()
user.u_name = username
user.u_password = hash_pwd
db.session.add(user)
db.session.commit()
return redirect(url_for('blue.user_login'))
# return '注册成功'
@blue.route('/user/login/', methods=["GET", "POST"])
def user_login():
if request.method == "GET":
return render_template('UserLogin.html')
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
user = User.query.filter(User.u_name.__eq__(username)).first()
# 验证密码
if user and check_password_hash(user.u_password, password):
return "登录成功"
return '登录失败'
1.4、运行并访问
查看数据库
2、改进
把密码验证封装到模型中
class User(db.Model):
id = db.Column(db.Integer, primary_key=True, autoincrement=True)
u_name = db.Column(db.String(16), unique=True)
_u_password = db.Column(db.String(256))
# python3中的property有一个很有意思的功能,它能将类中的方法像类属性一样调用!
# 它只能有self参数
# 那么如果想访问属性可以通过属性的getter(访问器)和setter(修改器)方法进行对应的操作.
# 将密码变成私有方法
@property
def u_password(self):
raise Exception("密码不可访问")
# 每次调用u_password自动加密_u_password后赋值
@u_password.setter
def u_password(self, v):
self._u_password = generate_password_hash(v)
# 验证密码时调用
def check_password(self, password):
return check_password_hash(self._u_password, password)
修改视图
@blue.route('/user/register/', methods=["GET", "POST"])
def user_register():
if request.method == "GET":
return render_template('UserRegister.html')
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
user = User()
user.u_name = username
# 这里调用u_password就自动加密了
user.u_password = password
db.session.add(user)
db.session.commit()
return redirect(url_for('blue.user_login'))
# return '注册成功'
@blue.route('/user/login/', methods=["GET", "POST"])
def user_login():
if request.method == "GET":
return render_template('UserLogin.html')
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
user = User.query.filter(User.u_name.__eq__(username)).first()
# 验证密码
if user and user.check_password(password):
return "登录成功"
return '登录失败'
迁移
python manage.py db migrate
python manage.py db upgrade
删除数据库user表里原本的内容
运行并访问
3、登录错误信息传递
在对应的路由里写入flash(“ ”)
flash需要添加SECRET_KEY,在setting里面添加SECRET_KEY =“ ”,赋值越复杂越好
传递到html里
{% for foo in get_flashed_messages() %}
<span>{{ foo }}</span>
{% endfor %}
运行并访问:写错登录密码就会提示
