How to add a maximum login attempt to a python script where the username and password is from the database?

Question

I found this from the internet and were trying to apply it to my school project. I tried using while loop but I failed to make it work.

def logs():
    mycursor = mydb.cursor()
    sql = "SELECT * FROM login_data WHERE BINARY username = '%s' OR BINARY email_address = '%s' AND BINARY password = '%s'" % (
        username.get(), username.get(), password.get())
    mycursor.execute(sql)
    if mycursor.fetchone():
        subprocess.Popen([sys.executable, "Manager.py"])
        exit()
    else:
        messagebox.showinfo("Warning", "Wrong username or password")

What you found is not best practice. You never store the clear text password of a user. Only a salted cryptographical hash of it should be stored. Have a look at https://docs.python.org/3/library/hashlib.html#key-derivation — Klaus D., Jun 18 '21 at 05:29
This is also prone to SQL Injection. Do not use string formatting to generate SQL commands. You need to use parametrized queries. — PacketLoss, Jun 18 '21 at 06:04

score 0 · Answer 1 · answered Jun 18 '21 at 05:31

You can declare a variable fail_count that is global. (outside this function) Add 1 to it each time in the else section. Ensure to reset the fail_count = 0 for each session

fail_count = 0
def logs():
    mycursor = mydb.cursor()

    if fail_count < 3:
        sql = "SELECT * FROM login_data WHERE BINARY username = '%s' OR BINARY email_address = '%s' AND BINARY password = '%s'" % (
            username.get(), username.get(), password.get())
        mycursor.execute(sql)
        if mycursor.fetchone():
            subprocess.Popen([sys.executable, "Manager.py"])
            exit()
        else:
            fail_count = fail_count + 1
            messagebox.showinfo("Warning", "Wrong username or password")

Can you add the answer as valid answer if you find it useful? @FlashBack — sam, Jun 18 '21 at 06:38

score 0 · Answer 2 · answered Jun 18 '21 at 05:43

If you want to build it from scratch, here is my good practice:

Create a table or just a new column that containing how many attempts that user do.

Assume that you create a new table LoginAttemp, the column is ID, USERNAME, ATTEMP.

Evaluate each login ATTEMPT where USERNAME is valid and password is invalid, add ATTEMP number by one.
Create ATTEMPT checker on each login ATTEMPT. When the ATTEMPT in the database is more than your MAX, make it unusual login.
You should make condition for RESET the login ATTEMPT There are some good answers here, if you want to use available tool instead:

Lock out users after too many failed login attempts

https://code.google.com/archive/p/django-brutebuster/

https://pypi.org/project/django-axes/

How to add a maximum login attempt to a python script where the username and password is from the database?

2 Answers2