Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm building my first ever web-app in python, haven't even decided on a framework yet,
does it make sense to start out with a MySQL database to manage users and credentials?
or is it a completely ridiculous way to approach it?
what are some existing solutions and best practices for managing user credentials?
The answer is, as always, it depends. There are many ways to build a web app in Python so you'll first need to decide on what you want to build or what technology you want to learn.
If you just want to focus on a Python backend as a learning exercise then you could use Flask which can run as a server and includes many modules to help you get started including managing users. If you plan to expose your app publicly though it is generally recommended to use Apache or some other battle tested server which can route the requests to Flask.
There are other Python frameworks like bottle which I believe is meant to be even simpler than Flask and Django which is more complicated but has more features. It all depends on what you want to do. You can also look at things like dash if you're end goal has a data analysis flavor.
One thing to note though is that managing user credentials is not trivial. It can be a useful exercise if you like to learn and tinker, but to do it correctly youll need to learn about salting passwords, cryptographically secure hashing, session management, https (and ideally which ciphers should be deprecated), how to protect against sql injection (good to know how to do this anyway if you don't already), cross site scripting, CORS, etc. The list goes on. None of these things are exclusively just for managing user credentials but you should understand all the ways things can go south on you.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I am currently working on an app or rather preparing everything. However, I have a question regarding backend and frontend. For the frontend, I was thinking about working with Dart/Flutter, since I'm planning to release the app for iOS and Android. For the backend, I would actually like to use Python, since I also have experience with the programming language.
I want to build an artificial intelligence into my app, which can receive an input from the user via the frontend connection, do something with it and pass this processed information back to the frontend and thus to the user as output. I hope you can understand all this. So, in general, it just has to be able to pass the information between the Dart files (Flutter) and the Python files.
In fact, I don't really have any experience with linking a frontend with a backend. Now I just wanted to ask if all this is possible at all and if Flutter or Dart and Python are even "compatible" with each other, maybe with plugins or something? I don't want to do without Flutter for my app, so if that's not possible, which programming language could I use instead of Python for programming an artificial intelligence?
Maybe one of you already has experience in this area or with my problem and could help me? I am looking forward to your opinions and suggestions for help or also experiences.
Kind regards and thanks in advance!
I'm a Fullstack developer and I have worked on a bunch of these projects with Front-end and Back-end components.
Essentially what you would do is have your Front-end make get requests to a server. Your Front-end client would be in Flutter or Dart and the server would be an HTTP API. Flask, for example, is one framework that let's you make web applications with Python. You are making an API for your client to call.
I can't speak as much to Flutter or Dart because I'm a React.js developer, but you would host your client on one website and then host a server on another website and simply make get and post requests on the server.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
We have legacy .exe solution running on industrial client's desktops that I need to port over to Google App Engine. All clients will have the same version of the app, no code customization. We need to be sure that data will not be leaked between different clients of the new GAE app or be snooped on by some external party.
So I have a couple of questions that I hope someone will be able to help me out.
Option 1: Use namespaces to separate client's data. This seems quite robust at the Datastore level; without the proper namespace data would not be served. Since we have the company name of each user, I would presume this would be quite secure against leaks.
Q1: Which precautions do I need to take to avoid someone guessing or hacking at URLs to get to unauthorized data?
Option 2: We could have a separate instance of the code and datastore for each client. This would give the optimal separation between clients.
Q2: Is there a tool or API to "clone" a given GAE app to many clients? We would feed the list of clients and update the code to all those instances in one go.
Thanks!
Which precautions do I need to take to avoid someone guessing or hacking at URLs to get to unauthorized data?
Namespaces are not a security mechanism for Datastore. A user with access to one partition in a project has access to all partitions in the project. Namespaces provide a way to organize your entities within a project.
Is there a tool or API to "clone" a given GAE app to many clients? We would feed the list of clients and update the code to all those instances in one go.
To have completely isolated instances of services, you can create new projects programmatically using the Cloud Resource Manager API and access resources across projects.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I want to build REST API (or GraphQL API) which I want to connect with Angular (2+) to build some nice web application.
Which framework should I choose to get started with and why? DjangoREST or ExpressJS ?
Which one of them is easier to get connected with front-end frameworks?
I know python as well as JavaScript. I also have experience with django as well as some JavaScript front-end frameworks like Angular. So, it wouldn't be that difficult to get started with nodejs or either of them.
Which of then is easier and better?
In short, Django for quick development and Express for full-stack,
scalable solutions.
Django provides better, easier security without as much experience. In the case of Express, it takes so much experience and confidence to get the same security from Node.JS
Django uses the MVT (Model View Template) design pattern and Express uses event-driven programming in which the entire architecture is driven by “events” or user choices. MVT is excellent for server-side development, on the other hand, event-driven programming is rather than separating client and server sides.
Django uses an in-house template system, so you won't hang to choosing the right one. With Express, a fully open system you may spend a lot amount of time to choose the perfect one for you.
Django is more structured to work around. It tells you how to do whereas express gives you the flexibility to do it in your way. For example, you need to use Django's ORM to interact with the database, but in the case of Express, you can choose any tool you like.
Express gives you freedom. So, if you’re experienced, there is a space to create whatever you want from scratch. Django gives you a lot of solutions with a vast template and library system, which is great for productivity but not enough for the vision.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I know this is technically a duplicate question, but I believe it is valid since the original question was submitted 7 years ago and Python/web security has come a long way since then.
I would like to build a web app that allows users to input python code (through the Ace editor package) and then execute it in the browser using a python interpreter on the server. I cannot use pypy.js because I need to use numpy, pandas, and matplotlib. Essentially I would like to make my own Codecademy (I am a teacher and would like to create Codecademy-like courses for my students). Sadly the create-a-course thing Codecademy mentioned at one point has come to nothing.
I'm using Flask, but I could learn Django if that would be easier.
What is the best way to allow my users to run the python code without allowing them to affect the rest of the program or access files outside of what they're allowed to?
There were no fundamental changes in Python or web security the last 7 years. It is still suicidal to allow users to run code on your server.
However, what did change is the availability of lightweight VM solutions like docker.
For an example how this could work have a look at https://civisanalytics.com/blog/engineering/2014/08/14/Using-Docker-to-Run-Python/ . I will not reference this solution here as you will found other examples, even if this one goes away.
However, this might be more safe then running user code direct on your server, BUT
the user code is still running on your server. It might be not possible to escape the docker image, but a malicious user could still upload for eg. a denial of service tool and start an attack from your server. Or sniff your network traffic or whatever.
there are or at least might be ways to break out of the docker image.
For a controlled environment like a classroom those risks might be acceptable, but for a public server you would need a lot of security know how to further lock down the server and the docker image and filter available python functionality.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I recently got into Django out of curiosity after developing for quite a while w/ Ruby on Rails and Node.js, and found that it's splendid for working w/ databases. Django is primarily known for working with databases and every tutorial I've ever found on it has included databases. Django supports not requiring databases however, and, just out of curiosity since I'm still rather inexperienced w/ Django, what would be some practical uses w/ Django w/out requiring databases?
I do not recommend using Django if you are not interested in using a database. Having written that disclaimer, if you insist on still using it, you can just scan over the documentation and identify what is still available to you if you do not have a database:
You can use Django's security features to help protect against clickjacking, cross site request forgeries, etc.
You can take advantage of Django's support for internationalization if you want to support multiple languages on your website.
You can have Django handle validation of any forms you have on your website.
...basically you can create a static website that takes advantage of the rapid prototyping enabled by a framework built using Python.
I can't think of many if I'm honest. If you are writing a web application that doesn't need to store to retrieve things from some sort of storage then using a whole Django project is probably total overkill.
A blog wouldn't really require a database if you only had a single user who was willing to add posts by adding files manually, but something like Jekell would be better for that.
You could create a web app that would interact with the server it's on. For example, you could create a web page that called a unix command when you hit a create webpage. You would be able to use to this create some sort of dashboard for your server or maybe provide a cleaner user interface for things that you could do with ssh. However, Django might be overkill for this, something like Flask might work better as you would have a lot less overhead.