Golang and MySQL login tutorial (opens in new tab)

(dinosaurscode.xyz)

56 pointslllorddino10y ago17 comments

17 comments

16 comments · 6 top-level

taspeotis10y ago· 3 in thread

    hashPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)

    _, err = db.Exec("INSERT INTO users(usrname, password) VALUES(?, ?)", username, password)

I'm not a Go expert. Doesn't this:

1) ignore an error, if any? And then

2) ignore hashPassword and just insert the non-hashed password into the database?

It looks like if someone follows along from home they'll get a syntax error from "usrname" but let's say they fixed that...

The code at the bottom of the article doesn't seem to suffer from the latter issue, but still suffers from the former.

afghanPower10y ago

Seems like the author went a little too fast here. Should definitely insert the hashed password into the db.

edit: Otherwise, great read! Hoping for more.

stygiansonic10y ago

Yeah, it seems like a typo. The "Signup Page" example doesn't use `hashPassword` but in the "entire source code" example at the bottom, it does properly use `hashedPassword` in the statement. (But still ignores any error from `bcrypt.GenerateFromPassword`)

lllorddinoOP10y ago

Fixed and fixed. There were more bugs in it but glad you pointed this out or else I may have never fixed it.

andmarios10y ago· 2 in thread

Whilst I am always grateful for new tutorials, I think this is a special case where the author should have gone the extra mile and talk about salting and maybe even about hashing the password client side.

Security related tutorials should not skip steps, even if only to mention the more advanced of them.

rimantas10y ago

There is no skipped step, bcrypt does salting itself.

andmarios10y ago

Ah yes! Thank you for the correction. :)

insertnickname10y ago· 2 in thread

    var db *sql.DB
    var err error

Why declare this error globally?

falcolas10y ago

The DB: because there's an internal goroutine-safe connection pool, so you want it to either be global, or exist in the server singleton (i.e. global).

The err: because they use it so frequently, easier to define it once and simply assign to it multiple times than try and track if it's already been defined per block of code.

Personally, I prefer to use distinct error variables for each error which can be thrown, but either method is idiomatic.

hellcow10y ago

It's bad practice to define an error globally. Let's say you create a goroutine which uses that same err variable (such as an http handler)--now you have a race condition, as that memory is being modified across threads.

1 more reply

jtruk10y ago· 1 in thread

panic() in a web serving route (e.g. signupPage here) is bad practice - an error will bring down your web server. Panics should be reserved for errors that invalidate your system, e.g. missing view assets or db connection on system startup.

Much better to http.Redirect/5xx.

lllorddinoOP10y ago

Fixed.

fideloper10y ago· 1 in thread

I'm not familiar with how the DB classes work (and I guess what counts as a function "ending"). Since `db.Close()` is deferred, is there a mysql connection open for as long as the web server is open in this case?

The main() function doesn't "end" until the web listener is stopped, correct?

stygiansonic10y ago

Yes, that's correct. `http.ListenAndServe()` doesn't return until the web listener is stopped.

This is actually the intended usage of `sql.Open()`: https://golang.org/pkg/database/sql/#Open (it maintains its own connection pool and is safe for concurrent use)

avinassh10y ago· 1 in thread

why not use an ORM?

arien10y ago

It's a good practice to learn the inner works before adding layers that may simplify (but obscure) functionality.

j / k navigate · click thread line to collapse

17 comments

16 comments · 6 top-level

taspeotis10y ago· 3 in thread

    hashPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)

    _, err = db.Exec("INSERT INTO users(usrname, password) VALUES(?, ?)", username, password)

I'm not a Go expert. Doesn't this:

1) ignore an error, if any? And then

2) ignore hashPassword and just insert the non-hashed password into the database?

It looks like if someone follows along from home they'll get a syntax error from "usrname" but let's say they fixed that...

The code at the bottom of the article doesn't seem to suffer from the latter issue, but still suffers from the former.

afghanPower10y ago

Seems like the author went a little too fast here. Should definitely insert the hashed password into the db.

edit: Otherwise, great read! Hoping for more.

stygiansonic10y ago

lllorddinoOP10y ago

Fixed and fixed. There were more bugs in it but glad you pointed this out or else I may have never fixed it.

andmarios10y ago· 2 in thread

Security related tutorials should not skip steps, even if only to mention the more advanced of them.

rimantas10y ago

There is no skipped step, bcrypt does salting itself.

andmarios10y ago

Ah yes! Thank you for the correction. :)

insertnickname10y ago· 2 in thread

    var db *sql.DB
    var err error

Why declare this error globally?

falcolas10y ago

The DB: because there's an internal goroutine-safe connection pool, so you want it to either be global, or exist in the server singleton (i.e. global).

The err: because they use it so frequently, easier to define it once and simply assign to it multiple times than try and track if it's already been defined per block of code.

Personally, I prefer to use distinct error variables for each error which can be thrown, but either method is idiomatic.

hellcow10y ago

1 more reply

jtruk10y ago· 1 in thread

Much better to http.Redirect/5xx.

lllorddinoOP10y ago

Fixed.

fideloper10y ago· 1 in thread

The main() function doesn't "end" until the web listener is stopped, correct?

stygiansonic10y ago

Yes, that's correct. `http.ListenAndServe()` doesn't return until the web listener is stopped.

This is actually the intended usage of `sql.Open()`: https://golang.org/pkg/database/sql/#Open (it maintains its own connection pool and is safe for concurrent use)

avinassh10y ago· 1 in thread

why not use an ORM?

arien10y ago

It's a good practice to learn the inner works before adding layers that may simplify (but obscure) functionality.

j / k navigate · click thread line to collapse