The latest articles on DEV Community by Avash Karn (@avash_karn). https://dev.to/avash_karn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3933233%2F56290230-cdb4-4f0e-9175-c3fe094af7d9.png https://dev.to/avash_karn en Avash Karn Fri, 29 May 2026 03:01:29 +0000 https://dev.to/avash_karn/sql-injection-protection-in-flask-a-practical-guide-part-5-of-e2ee-chat-series-1gjk https://dev.to/avash_karn/sql-injection-protection-in-flask-a-practical-guide-part-5-of-e2ee-chat-series-1gjk <h2> The Problem </h2> <p>Most developers think their database is safe. It's not. SQL injection attacks can destroy everything.</p> <h2> What is SQL Injection? </h2> <p>If you write code like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'"</span> </code></pre> </div> <p>An attacker types: <code>admin' OR '1'='1</code></p> <p>Your query becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">username</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="k">OR</span> <span class="s1">'1'</span><span class="o">=</span><span class="s1">'1'</span> </code></pre> </div> <p><strong>All users exposed.</strong> Game over.</p> <h2> The Solution: Parameterized Queries </h2> <p>Never use f-strings for queries. Use parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_sqlalchemy</span> <span class="kn">import</span> <span class="n">SQLAlchemy</span> <span class="n">db</span> <span class="o">=</span> <span class="nc">SQLAlchemy</span><span class="p">()</span> <span class="n">user</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">db</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="n">User</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">User</span><span class="p">.</span><span class="n">username</span> <span class="o">==</span> <span class="n">username</span><span class="p">)</span> <span class="p">).</span><span class="nf">scalar</span><span class="p">()</span> </code></pre> </div> <p>SQLAlchemy automatically escapes dangerous characters.</p> <h2> Why It Works </h2> <ul> <li>Database treats input as DATA, not CODE</li> <li>Even if attacker types <code>admin' OR '1'='1'</code>, it's treated as literal string</li> <li>Safe from injection</li> </ul> <h2> Common Mistakes </h2> <ol> <li>Using f-strings for queries ❌</li> <li>Not validating input ❌</li> <li>Trusting user data ❌</li> </ol> <h2> Conclusion </h2> <p>Always use parameterized queries. Never build queries with string formatting.</p> database python security sql Avash Karn Tue, 26 May 2026 10:04:11 +0000 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-4-real-time-messaging-with-socketio-2ll7 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-4-real-time-messaging-with-socketio-2ll7 <h2> Building an E2EE Chat App in Flask - Part 4: Real-Time Messaging with SocketIO </h2> <p>Hey! So far we covered encryption, passwords, and file uploads. But how do messages show up instantly without refreshing?</p> <h2> The Problem: Polling vs Real-Time </h2> <p>Without real-time, your app is dead:</p> <ul> <li>User sends message</li> <li>Other user refreshes page</li> <li>Message appears or they don't refresh message won't appear</li> <li>Sucks, right?</li> </ul> <h2> The Solution: SocketIO </h2> <p>WebSockets = open connection between client and server. Message goes instantly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_socketio</span> <span class="kn">import</span> <span class="n">SocketIO</span><span class="p">,</span> <span class="n">emit</span><span class="p">,</span> <span class="n">join_room</span> <span class="n">socketio</span> <span class="o">=</span> <span class="nc">SocketIO</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">cors_allowed_origins</span><span class="o">=</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@socketio.on</span><span class="p">(</span><span class="sh">'</span><span class="s">send_message</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">handle_message</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">]</span> <span class="n">channel</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">channel</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Save to database </span> <span class="n">new_post</span> <span class="o">=</span> <span class="nc">Post</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="n">message</span><span class="p">,</span> <span class="n">channel_id</span><span class="o">=</span><span class="n">channel</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">new_post</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="c1"># Send to all users in channel </span> <span class="nf">emit</span><span class="p">(</span><span class="sh">'</span><span class="s">receive_message</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">:</span> <span class="n">message</span><span class="p">},</span> <span class="n">room</span><span class="o">=</span><span class="n">channel</span><span class="p">)</span> </code></pre> </div> <h2> How It Works </h2> <ol> <li>User sends message</li> <li>Server receives via flask-SocketIO</li> <li>Server saves to database</li> <li>Server broadcasts to all users in channel</li> <li>Everyone gets message INSTANTLY</li> </ol> <h2> Why This Matters </h2> <p>No refresh needed. No delay. Real-time = better UX.</p> <h2> What's Next </h2> <p>Part 5: Database design and security.</p> <p>Questions?</p> backend python tutorial webdev Avash Karn Sat, 23 May 2026 02:43:26 +0000 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-3-keeping-file-uploads-safe-iid https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-3-keeping-file-uploads-safe-iid <p>Okay hi, so imagine you have a mailbox at your house. Anyone can put things in it, am I right or am I right? What if someone puts a bomb in there? Or trash? You need to check what goes in before it causes problems.</p> <p>That's what file uploads are like. Users can upload anything. We need to stop the bad stuff.</p> <h2> The Problem: Bad Files </h2> <p>When I first built my chat app, I didn't think about what users could upload. They could upload:</p> <ul> <li>Files with viruses hidden inside</li> <li>Really huge files that break the app</li> <li>Weird file types that cause problems</li> <li>Files with tricky names designed to hack the system</li> </ul> <p>It's like leaving your house door open and hoping bad people don't come in. Spoiler: they will.</p> <h2> My Solution: Check Everything </h2> <p>I learned to be a security guard for my app. Here's what I do:</p> <h3> 1. Only Accept Certain File Types </h3> <p>First, I made a python Set of file types I actually want:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ALLOWED_EXTENSIONS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">png</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">jpg</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">jpeg</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">gif</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">mp4</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">mov</span><span class="sh">'</span><span class="p">}</span> </code></pre> </div> <p>I only allow images (png, jpg, gif) and videos (mp4, mov). That's it. No .exe files. No .zip files. Nothing unsafe.</p> <p>Then I check every file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">allowed_file</span><span class="p">(</span><span class="n">filename</span><span class="p">):</span> <span class="k">return</span> <span class="sh">'</span><span class="s">.</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">filename</span> <span class="ow">and</span> <span class="n">filename</span><span class="p">.</span><span class="nf">rsplit</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="n">ALLOWED_EXTENSIONS</span> </code></pre> </div> <p>All that code just says: "Does the file have a dot? Is it one of our allowed types? If yes, cool. If no, reject it."</p> <h3> 2. Clean Up Bad Filenames </h3> <p>Here's something sneaky: attackers might upload a file named something like "../../../admin.php" to try to escape the upload folder and hack the system.</p> <p>So I use a function that removes all the dangerous stuff:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">werkzeug.utils</span> <span class="kn">import</span> <span class="n">secure_filename</span> <span class="n">filename</span> <span class="o">=</span> <span class="nf">secure_filename</span><span class="p">(</span><span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">)</span> </code></pre> </div> <p>If someone uploads "../../admin.php", this function turns it into "admin.php" (harmless).</p> <p>If someone uploads "file (1) [2023].jpg", it cleans it up too.</p> <h3> 3. Organize Files by Type </h3> <p>After the file is safe, I check what type it is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_file_type</span><span class="p">(</span><span class="n">filename</span><span class="p">):</span> <span class="n">ext</span> <span class="o">=</span> <span class="n">filename</span><span class="p">.</span><span class="nf">rsplit</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="k">if</span> <span class="n">ext</span> <span class="ow">in</span> <span class="p">{</span><span class="sh">'</span><span class="s">mp4</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">mov</span><span class="sh">'</span><span class="p">}:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">video</span><span class="sh">'</span> <span class="k">elif</span> <span class="n">ext</span> <span class="ow">in</span> <span class="p">{</span><span class="sh">'</span><span class="s">png</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">jpg</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">jpeg</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">gif</span><span class="sh">'</span><span class="p">}:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">image</span><span class="sh">'</span> <span class="k">return</span> <span class="sh">'</span><span class="s">file</span><span class="sh">'</span> </code></pre> </div> <p>So if someone uploads a video, I store it in the videos folder. Images go in the images folder. Everything stays organized and safe.</p> <h2> Why This Actually Works </h2> <p>Think about it like airport security:</p> <ol> <li> <strong>Whitelist</strong> = Only let through what's allowed (like a passenger list)</li> <li> <strong>Clean names</strong> = Remove anything suspicious (like checking luggage)</li> <li> <strong>Organize</strong> = Put things in the right place (like baggage claim)</li> </ol> <p>If you don't do these checks, bad stuff gets through.</p> <h2> What Actually Happened </h2> <p>I built this without thinking about security. Then I realized: what if someone uploads a virus? What if they upload a 1GB file? What if they try to hack the system with a weird filename?</p> <p>So I added these checks. Now my app is safer.</p> <h2> The Real Lesson </h2> <p>Never, ever trust what users do. Always assume someone is trying to break your app. Check everything.</p> <h2> What's Next </h2> <p>Part 4 is about real-time messaging. How do messages update instantly without refreshing? WebSockets.</p> <p>Let me know what you think!</p> python security tutorial webdev Avash Karn Fri, 22 May 2026 09:26:50 +0000 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-2-secure-password-storage-3god https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-2-secure-password-storage-3god <p>Hey everyone! Part 1 explained encryption. Now let's secure passwords.</p> <h2> The Problem: Plain Text Passwords </h2> <p>In my first version, I stored passwords like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">user</span> <span class="ow">and</span> <span class="n">user</span><span class="p">.</span><span class="n">password</span> <span class="o">==</span> <span class="n">p_word</span><span class="p">:</span> <span class="c1"># LOGIN </span></code></pre> </div> <p>This is TERRIBLE because:</p> <ul> <li>If database leaks, everyone's passwords exposed</li> <li>No hashing = no protection</li> <li>One breach = account takeover</li> </ul> <h2> The Solution: Werkzeug Password Hashing </h2> <p>Use werkzeug.security to hash passwords:</p> <h3> Registration: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">werkzeug.security</span> <span class="kn">import</span> <span class="n">generate_password_hash</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="nf">generate_password_hash</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">hashed_password</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> </code></pre> </div> <h3> Login: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">werkzeug.security</span> <span class="kn">import</span> <span class="n">check_password_hash</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">and</span> <span class="nf">check_password_hash</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">session</span><span class="p">[</span><span class="sh">'</span><span class="s">logged_in</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># USER LOGGED IN </span></code></pre> </div> <h2> Why This Works </h2> <ul> <li>Passwords are hashed (one-way)</li> <li>Hash can't be reversed</li> <li>Even if leaked, passwords stay safe</li> <li>Industry standard</li> <li>Built into Flask ecosystem</li> </ul> <h2> What I Learned </h2> <p>Passwords must NEVER be stored in plain text. Ever.</p> <h2> Part 3 Coming </h2> <p>File uploads and validation.</p> <p>Questions? Drop them below!</p> python security tutorial webdev Avash Karn Fri, 22 May 2026 07:33:47 +0000 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-1-why-encryption-matters-2lo4 https://dev.to/avash_karn/building-an-e2ee-chat-app-in-flask-part-1-why-encryption-matters-2lo4 <p>Hey everyone! I'm building an encrypted chat application in Flask and documenting the journey. Here's Part 1.<br> Why E2EE Matters<br> Most messaging apps claim to be secure, but they're not. Your messages sit on their servers where anyone with access can read them.</p> <p>End-to-End Encryption (E2EE) = only you and the recipient can read messages. The server can't see anything.</p> <p>Example:<br> WhatsApp uses E2EE. Facebook Messenger doesn't. Your choice matters.</p> <p>Why I Built This<br> I wanted to understand encryption by building it, not just reading about it. This project taught me way more than any tutorial.</p> <p>What's Next<br> Part 2: How to handle passwords safely without storing them in plain text.</p> <p>Questions? Drop them in comments!</p> privacy python security tutorial