Flask 8（数据安全）

1、哈希加密用户密码

以用户注册登录为例

1.1、建立模型

模型

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True, autoincrement=True)
    u_name = db.Column(db.String(16), unique=True)
    u_password = db.Column(db.String(256))

迁移

python manage.py db migrate
python manage.py db upgrade

1.2、新建注册登录html

注册

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>用户注册页面</title>
</head>
<body>
<form action="{{ url_for('blue.user_register') }}" method="post">
    <span>用户名</span><input type="text" name="username" placeholder="请输入用户名">
    <br>
    <span>密码</span><input type="password" name="password" placeholder="请输入密码">
    <br>
    <button>注册</button>
</form>
</body>
</html>

登录

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>用户注册页面</title>
</head>
<body>
<form action="{{ url_for('blue.user_login') }}" method="post">
    <span>用户名</span><input type="text" name="username" placeholder="请输入用户名">
    <br>
    <span>密码</span><input type="password" name="password" placeholder="请输入密码">
    <br>
    <button>登录</button>
</form>
</body>
</html>

1.3、路由

@blue.route('/user/register/', methods=["GET", "POST"])
def user_register():
    if request.method == "GET":
        return render_template('UserRegister.html')
    elif request.method == "POST":
        username = request.form.get("username")
        password = request.form.get("password")
        # 哈希加密用户密码
        # from werkzeug.security import generate_password_hash
        hash_pwd = generate_password_hash(password)
        user = User()
        user.u_name = username
        user.u_password = hash_pwd
        db.session.add(user)
        db.session.commit()
        return redirect(url_for('blue.user_login'))
        # return '注册成功'


@blue.route('/user/login/', methods=["GET", "POST"])
def user_login():
    if request.method == "GET":
        return render_template('UserLogin.html')
    elif request.method == "POST":
        username = request.form.get("username")
        password = request.form.get("password")
        user = User.query.filter(User.u_name.__eq__(username)).first()
        # 验证密码
        if user and check_password_hash(user.u_password, password):
            return "登录成功"
        return '登录失败'

1.4、运行并访问

查看数据库

2、改进

把密码验证封装到模型中

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True, autoincrement=True)
    u_name = db.Column(db.String(16), unique=True)
    _u_password = db.Column(db.String(256))

    # python3中的property有一个很有意思的功能，它能将类中的方法像类属性一样调用！
    # 它只能有self参数
    # 那么如果想访问属性可以通过属性的getter（访问器）和setter（修改器）方法进行对应的操作.

    # 将密码变成私有方法
    @property
    def u_password(self):
        raise Exception("密码不可访问")

    # 每次调用u_password自动加密_u_password后赋值
    @u_password.setter
    def u_password(self, v):
        self._u_password = generate_password_hash(v)

    # 验证密码时调用
    def check_password(self, password):
        return check_password_hash(self._u_password, password)

修改视图

@blue.route('/user/register/', methods=["GET", "POST"])
def user_register():
    if request.method == "GET":
        return render_template('UserRegister.html')
    elif request.method == "POST":
        username = request.form.get("username")
        password = request.form.get("password")

        user = User()
        user.u_name = username
        # 这里调用u_password就自动加密了
        user.u_password = password
        db.session.add(user)
        db.session.commit()
        return redirect(url_for('blue.user_login'))
        # return '注册成功'


@blue.route('/user/login/', methods=["GET", "POST"])
def user_login():
    if request.method == "GET":
        return render_template('UserLogin.html')
    elif request.method == "POST":
        username = request.form.get("username")
        password = request.form.get("password")
        user = User.query.filter(User.u_name.__eq__(username)).first()
        # 验证密码
        if user and user.check_password(password):
            return "登录成功"
        return '登录失败'

迁移

python manage.py db migrate
python manage.py db upgrade

删除数据库user表里原本的内容

运行并访问

3、登录错误信息传递

在对应的路由里写入flash（“ ”）

flash需要添加SECRET_KEY，在setting里面添加SECRET_KEY =“ ”，赋值越复杂越好

传递到html里

{% for foo in get_flashed_messages() %}
<span>{{ foo }}</span>
{% endfor %}

运行并访问:写错登录密码就会提示