1. SA-MP Forums Archive
  2. Other
  3. Everything and Nothing

Threaded Mode
UCP Function Problem[HELP]
Rg-Gaming.Info
Huge Clucker
***
Posts: 223
Threads: 32
Joined: Jan 2012
Reputation: 0
#1

06.08.2013, 19:13
( Последний раз редактировалось Rg-Gaming.Info; 06.08.2013 в 20:10. )
Alright, so basically I have the function for login and I am trying to make it work with my server's database. It successfully reades the name, but it wouldn't read the WHIRLPOOL encrypted passwords. Everytime I do it, it says "wrong password" which it should say only if the password is really worng. Am I doing something wrong? Because I think everything is fine, but apperantly, it's not.

PHP код:
<?php
include("config.php");
session_start();
if (!$con)
  {
  die('Could not connect: ' mysql_error());
  }
  if(isset($_SESSION["Username"]))
  {
    $user $_SESSION["Username"];
    $pass hash('whirlpool'$_SESSION["Password"]);
  }
  else
  {
    $user $_POST["User"]; 
    $pass $_POST["Password"];
    $_SESSION['Username'] = $user;
    $_SESSION['Password'] = $pass;
    $escuser mysql_real_escape_string($user);
    $escpass mysql_real_escape_string($pass);
  }
  $query "SELECT * FROM players WHERE Username = '$escuser'";
  $result mysql_query($query);
  $username_exist mysql_num_rows($result);
  if($username_exist == 0)
  {
    echo 'That profile does not exist! <br />';
    echo '<a href="index.php">Go Back</a>';
    unset($_SESSION['Username']);
    unset($_SESSION['Password']);
    die;
  }  
  $row mysql_fetch_row($result);
  if($row[2] !== $escpass)
  {
    echo 'Password is not valid!  <br />';
    echo '<a href="index.php">Go Back</a>';
    unset($_SESSION['Username']);
    unset($_SESSION['Password']);
    die;
  }
$message "Welcome $escuser!<br />";
echo $message;
echo "<br />";
echo "
<table border = 1>
  <tr>
    <td>Level</td>
    <td>$row[7]</td>
  </tr>
  <tr>
    <td>Skin</td>
    <td>$row[8]</td>
  </tr>
  <tr>
    <td>Hours Played</td>
    <td>$row[9]</td>
  </tr>
  <tr>
    <td>Money</td>
    <td>$$row[10]</td>
  </tr>
  <tr>
    <td>Bank</td>
    <td>$$row[11]</td>
  </tr>
</table>";
?>
Find
Reply
Vince
Spam Machine
*****
Posts: 10,066
Threads: 38
Joined: Sep 2007
Reputation: 0
#2

06.08.2013, 19:24
You're comparing a hashed password to a plain text password. For security reasons you also shouldn't tell whether a username exists. Just tell them that username and password do not match. This also saves you a query. Other than that, the 'mysql' PHP extension is deprecated. Use mysqli or PDO.
Find
Reply
Rg-Gaming.Info
Huge Clucker
***
Posts: 223
Threads: 32
Joined: Jan 2012
Reputation: 0
#3

06.08.2013, 19:32
Quote:
Originally Posted by Vince
Посмотреть сообщение
You're comparing a hashed password to a plain text password. For security reasons you also shouldn't tell whether a username exists. Just tell them that username and password do not match. This also saves you a query. Other than that, the 'mysql' PHP extension is deprecated. Use mysqli or PDO.
Alright, I might of made myself unclear. The passwords in my server's DB are hashed already. How do I hash the password in this script and then compare it to the DB one.
Find
Reply
Sinner
Gangsta
*****
Posts: 772
Threads: 52
Joined: Aug 2010
Reputation: 0
#4

06.08.2013, 20:17
This entire peice of code seems odd to me :/ Why are you storing the username and password in the session before checking if it's correct. It seems to me the first time the password will always be false since $_SESSION["Username"] is not set -> password isn't hashed and the second time it will always use the variable already in the session which will never be correct either. This is some seriously weird coding.

I had a shot at improving it (untested):
PHP код:
<?php 
require_once 'config.php';
if(isset($_SESSION) == false)
    session_start();
    
if(!$con)
    die('Could not connect: ' mysql_error()); 
// user inputted password
$p $_POST['Password'];
$pe mysql_real_escape_string($p);
$password hash('whirlpool'$pe);
// user inputted username
$u $_POST['Username'];
$username mysql_real_escape_string($u);
$result mysql_query('SELECT * FROM players WHERE Username = \''$username .'\' AND Password = \''$password .'\'');
$rows mysql_num_rows($result);
if($rows == 0)
{
    // password is not correct
    unset($_SESSION['Username']);
    unset($_SESSION['Password']);
}
else
{
    // password is correct
    $_SESSION['Username'] = $username;
    $_SESSION['Password'] = $password;
}
?>
Find
Reply
Vince
Spam Machine
*****
Posts: 10,066
Threads: 38
Joined: Sep 2007
Reputation: 0
#5

06.08.2013, 20:17
Use hash().
Edit: late.
Find
Reply
Sinner
Gangsta
*****
Posts: 772
Threads: 52
Joined: Aug 2010
Reputation: 0
#6

06.08.2013, 20:20
Quote:
Originally Posted by Vince
Посмотреть сообщение
Use mysqli or PDO.
^^

This is extremely important. Although the mysql_ functions work fine, they have existed for years and years and far more secure and faster technologies have been developed over the years. I'm glad to see you're atleast escaping the strings but that will certainly not stop a determined hacker.

For example, PDO would allow you to just do:
PHP код:
$user = new User($userid);
$password $user->select('password');
$user->set('username'$new_username);
$user->update(); 
Find
Reply
Rg-Gaming.Info
Huge Clucker
***
Posts: 223
Threads: 32
Joined: Jan 2012
Reputation: 0
#7

06.08.2013, 20:28
Quote:
Originally Posted by Sinner
Посмотреть сообщение
This entire peice of code seems odd to me :/ Why are you storing the username and password in the session before checking if it's correct. It seems to me the first time the password will always be false since $_SESSION["Username"] is not set -> password isn't hashed and the second time it will always use the variable already in the session which will never be correct either. This is some seriously weird coding.

I had a shot at improving it (untested):
PHP код:
<?php 
require_once 'config.php';
if(isset($_SESSION) == false)
    session_start();
    
if(!$con)
    die('Could not connect: ' mysql_error()); 
// user inputted password
$p $_POST['Password'];
$pe mysql_real_escape_string($p);
$password hash('whirlpool'$pe);
// user inputted username
$u $_POST['Username'];
$username mysql_real_escape_string($u);
$result mysql_query('SELECT * FROM players WHERE Username = \''$username .'\' AND Password = \''$password .'\'');
$rows mysql_num_rows($result);
if($rows == 0)
{
    // password is not correct
    unset($_SESSION['Username']);
    unset($_SESSION['Password']);
}
else
{
    // password is correct
    $_SESSION['Username'] = $username;
    $_SESSION['Password'] = $password;
}
?>
Yeah, your code seems a lot more clear than mine, + my code was old. It was not updated for years... but even tho, when implemented a error message if the password is wrong inside the DB, it still only refers me to the error message and does not prceed.

If you want we can get on skype and you can help me in more detail there: bgtracker1
Find
Reply
CrazyChoco
Gangsta
*****
Posts: 895
Threads: 106
Joined: Feb 2012
Reputation: 0
#8

06.08.2013, 20:54
I didn't quite understood that. Anyway does your passwords saves in Uppercase?
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. Other
  3. Everything and Nothing