Can't login using Python and MYSQL because of malformed header from script 'login.py': Bad header: "

Question

I'm trying to login via Python and MYSQL using an Ubuntu 20.04 server, but I always get ,,500 internal error"

The script it's this and it's not so secured:

#!/usr/bin/python3
import pymysql
import cgi
from http import cookies
from art import *
# Open database connection
db = pymysql.connect("localhost","superadmin","123","dinamic" )

# prepare a cursor object using cursor() method
cursor = db.cursor()
data=cgi.FieldStorage()
a=data.getvalue('e1')
b=data.getvalue('p1')

# Prepare SQL query to fetch a record into the database.
sql = "select id,email,password from register where email='"+a+"' AND password='"+b+"'"
try:
# Execute the SQL command
 if(cursor.execute(sql)):
   # Commit your changes in the database
   db.commit()
   c=cookies.SimpleCookie()

   # assign a value
   c['mou']=a

   # set the xpires time
   c['mou']['expires']=24*60*60

   # print the header, starting with the cookie
   print (c)
   print("Content-type: text/html")
   print('''<html>
      <head>
         <title>Hello Word - First script</title>
      </head>
      <body>
         <h2>successfully login</h2>
      </body>
   </html>''')
 else:
   # Commit your changes in the database
   db.commit()
   print("Content-type: text/html")
   print("<html>")
   print("<body>")
   print("<h2>fail</h2>")
   print("</body>")
   print("</html>")
except:
   # Rollback in case there is any error
   db.rollback()

And the HTML file:

<html>
   <body>
      <form action="login.py" method="post">
         email: <input type="text" name="e1">
         password: <input type="password" name="p1">
         <input type="submit" value="register">
      </form>
   </body>
</html>

In the logs I get the following errors:

 File "/var/www/html/dinamic_python/login.py", line 15, in <module>: /var/www/html/dinamic_python/login.py
[Wed Mar 24 18:45:37.324689 2021]   sql = "select id,email,password from register where email='"+a+"' AND password='"+b+"'": /var/www/html/dinamic_python/login.py
[Wed Mar 24 18:45:37.324733 2021] TypeError: can only concatenate str (not "NoneType") to str: /var/www/html/dinamic_python/login.py
[Wed Mar 24 18:45:37.363064 2021] [cgi:error] [pid 18037] [client 127.0.0.1:59482] End of script output before headers: login.py

What am I doing wrong? Is it something wrong in my script?

Answer 1

This line:

sql = "select id,email,password from register where email='"+a+"' AND password='"+b+"'"

looks fishy.

I usually try to do something like this:

sql = "SELECT id, email, password FROM register WHERE email = %s AND password = %s"

Then call your cursor: cursor.execute(sql, (a, b))

It's not the greatest idea to pass your parameters as strings into your query. See here and here for more information.

Judging by the error:

[Wed Mar 24 18:45:37.324733 2021] TypeError: can only concatenate str (not "NoneType") to str: /var/www/html/dinamic_python/login.py

It also looks like one or more of your variables (a or b) might be NoneType.

Answer 2

try print.

print("{} / {}".format(a, b))

A or B have type "NoneType": TypeError: can only concatenate str (not "NoneType")

Answer 3

The problem is that I need to add print ("Content-type: text/html", end="\r\n\r\n", flush=True) to if, and also to the else statement. Also, be careful at \r\n , it is very important to use it.