SA-MP Forums Archive
Saving bankpassword in MySQL - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Saving bankpassword in MySQL (/showthread.php?tid=608930)



Saving bankpassword in MySQL - Deroxi - 06.06.2016

I tried to make a bank system all by myself. For now I only made the Register dialog, but whenever I try to register it won't save the password in the database
Code:
PHP код:
        case BankRegisterDialog:
        {
            if(
Player[playerid][BankLogged] == 1)
            {
                if(
strlen(inputtext) < 5)
                {
                      
SendClientMessage(playeridCOLOR_RED"[ERROR] You password must be longer than 5 characters!");
                    return 
ShowPlayerDialog(playeridBankRegisterDialogDIALOG_STYLE_PASSWORD"Bank Password""Enter your desired password below:""Register""Cancel");
                }
                new 
query[100], name[24], query2[100];
                
GetPlayerName(playeridname24);
                
WP_Hash(Player[playerid][BankPassword], 129inputtext);
                
format(querysizeof(query), "UPDATE 'accounts' SET 'Bankpassword' = '%s' WHERE 'Name' = '%s'"Player[playerid][BankPassword], name);
                
mysql_query(mysqlquery);
            }
        } 



Re: Saving bankpassword in MySQL - Konstantinos - 06.06.2016

The size of the query is 100 an and the output Whirlpool itself is 128 characters.

When a player registers, you need to use INSERT INTO as UPDATE is used for existed rows.

You better use threaded queries (even for INSERT/UPDATE/DELETE) and escape strings in the future.

Here's an example of register/login: https://raw.githubusercontent.com/pB...stem-cache.pwn

It also uses race condition check which not many of the tutorials/released gamemodes have.


Re: Saving bankpassword in MySQL - Deroxi - 06.06.2016

PHP код:
format(querysizeof(query), "INSERT INTO `accounts` (`Name`, `Bankpassword`) VALUES (`%e`, `%e`)"namePlayer[playerid][BankPassword]); 
Didn't change anything, Im such a spoon in MySQL


Re: Saving bankpassword in MySQL - JasperM - 06.06.2016

Besides the whole question, here is another quick note:

Just using Whirlpool once to hash a password without any kind of salt is not safe, at all. If your database gets breached, it wont take that long before someone has all bank passwords in plain text format. The easiest thing to change is to give every password a custom salt, which is added to the end of the password and then given to the WP_Hash function. This gives a bit of extra security, since rainbow tables become less useful. Second, use a function which is meant to be slow, like, for example, bcrypt. Googling "SAMP Bcrypt" should show up an include to use bcrypt. This is by far much safer than WP_Hash, because you can set it to be slower. This means that if your database is breached, and it already took your server 0.25 seconds to hash a password, an attacker needs a lot more time to get all the passwords.

TL; DR; 1. Hashing just passwords without a salt is unsafe. 2. Whirlpool is a relatively fast hashing mechanism which can't be set to be slower. Me and a lot of others recommend Bcrypt to solve this issue.


Re: Saving bankpassword in MySQL - Konstantinos - 06.06.2016

Quote:
Originally Posted by Deroxi
Посмотреть сообщение
PHP код:
format(querysizeof(query), "INSERT INTO `accounts` (`Name`, `Bankpassword`) VALUES (`%e`, `%e`)"namePlayer[playerid][BankPassword]); 
Didn't change anything, Im such a spoon in MySQL
Read your mysql_log.txt file, it should say more information on why the query failed.

I also agree with JasperM about adding a salt along with the hash so even if two or more users have the same password, they will have different hashed output. You can find more results on ****** but here's two threads from here:
https://sampforum.blast.hk/showthread.php?tid=350664
https://sampforum.blast.hk/showthread.php?tid=581336

Just to get an idea.


Re: Saving bankpassword in MySQL - Deroxi - 06.06.2016

Quote:
Originally Posted by Konstantinos
Посмотреть сообщение
Read your mysql_log.txt file, it should say more information on why the query failed.

I also agree with JasperM about adding a salt along with the hash so even if two or more users have the same password, they will have different hashed output.
I will look at the log + I will take a look at the bcrypt, but that will probably be later on
EDIT:
Mysql_log.txt output:
[12:44:59] [WARNING] CMySQLHandle::Create - connection already exists
[12:45:02] [ERROR] cache_get_field_content_int - invalid datatype


Re: Saving bankpassword in MySQL - Konstantinos - 06.06.2016

About the cache function is that you are trying to retrieve data that is not integer. That also happens if the column is NULL.

For now, you'll need to enable log all so we can take a closer look at what is happening when you register.

before mysql_connect, call:
pawn Код:
mysql_log(LOG_ALL);
Try to register a new name and if it fails to insert a new row, post the mysql logs again.


Re: Saving bankpassword in MySQL - Deroxi - 06.06.2016

PHP код:
[13:06:31] [DEBUGmysql_connect host"localhost"user"root"database"samp"password"****"port3306autoreconnecttruepool_size2
[13:06:31] [DEBUGCMySQLHandle::Create creating new connection..
[
13:06:31] [WARNINGCMySQLHandle::Create connection already exists
[13:06:31] [DEBUGCMySQLConnection::Connect establishing connection to database...
[
13:06:31] [DEBUGCMySQLConnection::Connect connection was successful
[13:06:31] [DEBUGCMySQLConnection::Connect auto-reconnect has been enabled
[13:06:31] [DEBUGmysql_errno connection1
[13:06:31] [DEBUGmysql_format connection1len128format"SELECT `Password`, `ID` FROM `accounts` WHERE `Name` = '%e' LIMIT 1"
[13:06:31] [DEBUGmysql_tquery connection1query"SELECT `Password`, `ID` FROM `accounts` WHERE `Name` = 'sorenkai"callback"OnAccountCheck"format"i"
[13:06:31] [DEBUGCMySQLConnection::Connect establishing connection to database...
[
13:06:31] [DEBUGCMySQLConnection::Connect connection was successful
[13:06:31] [DEBUGCMySQLConnection::Connect auto-reconnect has been enabled
[13:06:31] [DEBUGCMySQLConnection::Connect establishing connection to database...
[
13:06:31] [DEBUGCMySQLConnection::Connect connection was successful
[13:06:31] [DEBUGCMySQLConnection::Connect auto-reconnect has been enabled
[13:06:31] [DEBUGCMySQLQuery::Execute[OnAccountCheck] - starting query execution
[13:06:31] [DEBUGCMySQLQuery::Execute[OnAccountCheck] - query was successfully executed within 0.227 milliseconds
[13:06:31] [DEBUGCMySQLResult::CMySQLResult() - constructor called
[13:06:31] [DEBUGCMySQLConnection::Connect establishing connection to database...
[
13:06:31] [DEBUGCMySQLConnection::Connect connection was successful
[13:06:31] [DEBUGCMySQLConnection::Connect auto-reconnect has been enabled
[13:06:31] [DEBUGCalling callback "OnAccountCheck"..
[
13:06:31] [DEBUGcache_get_data connection1
[13:06:31] [DEBUGcache_get_field_content row0field_name"Password"connection1max_len129
[13:06:31] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Password"data"****"
[13:06:31] [DEBUGcache_get_field_content_int row0field_name"ID"connection1
[13:06:31] [DEBUGCMySQLResult::GetRowDataByName row'0'field"ID"data"3"
[13:06:31] [DEBUGCMySQLResult::~CMySQLResult() - deconstructor called
[13:06:36] [DEBUGmysql_format connection1len100format"SELECT * FROM `accounts` WHERE `Name` = '%e' LIMIT 1"
[13:06:36] [DEBUGmysql_tquery connection1query"SELECT * FROM `accounts` WHERE `Name` = 'sorenkai' LIMIT 1"callback"OnAccountLoad"format"i"
[13:06:36] [DEBUGCMySQLQuery::Execute[OnAccountLoad] - starting query execution
[13:06:36] [DEBUGCMySQLQuery::Execute[OnAccountLoad] - query was successfully executed within 0.235 milliseconds
[13:06:36] [DEBUGCMySQLResult::CMySQLResult() - constructor called
[13:06:36] [DEBUGCalling callback "OnAccountLoad"..
[
13:06:36] [DEBUGcache_get_field_content_int row0field_name"Score"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Score"data"104"
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"Admin"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Admin"data"6"
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"VIP"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"VIP"data"0"
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"Money"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Money"data"150229"
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"Bankpassword"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Bankpassword"data"0"
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"Bankmoney"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Bankmoney"data""
[13:06:36] [ERRORcache_get_field_content_int invalid datatype
[13:06:36] [DEBUGcache_get_field_content_int row0field_name"Banklogged"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"Banklogged"data"2"
[13:06:36] [DEBUGcache_get_field_content_float row0field_name"PosX"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"PosX"data"2316.29"
[13:06:36] [DEBUGcache_get_field_content_float row0field_name"PosY"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"PosY"data"-11.52"
[13:06:36] [DEBUGcache_get_field_content_float row0field_name"PosZ"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"PosZ"data"26.742"
[13:06:36] [DEBUGcache_get_field_content_float row0field_name"PosA"connection1
[13:06:36] [DEBUGCMySQLResult::GetRowDataByName row'0'field"PosA"data"182.048"
[13:06:36] [DEBUGCMySQLResult::~CMySQLResult() - deconstructor called 



Re: Saving bankpassword in MySQL - Konstantinos - 06.06.2016

That's the loading part and it seems to work (at least that's what it shows, loading correct values).

The problem is with registering an account, isn't it? If so, you will have to connect with a name that does not exist to database so it forces you to register.


Re: Saving bankpassword in MySQL - Deroxi - 06.06.2016

I'm not sure if you got this: I have made a login/register system (tutorial :3). And now I tried to make a Bank account system where you have to register/login with a password to access your bank account.