[Face9000]

Ok guys, i almost finished converting my gm from the old and outdated dini to mysql. Everything works except a thing. Today i decided to increase account's security and based on this i made hash the player's password using Whirlpool, and i made this:

Register:

pawn Code:

stock MySQL_Register(playerid, passwordstring[])
{
    new query1[256*2], pname[24];
    new Year, Month, Day, Hour, Minute, Second;
    getdate(Year, Month, Day);
    gettime(Hour, Minute, Second);
    WP_Hash(query1, 256*2, passwordstring);
    new RegDate[128];
    format(RegDate, 128, "%d:%d:%d - %d/%d/%d", Hour, Minute, Second, Day, Month, Year);
    new Bannedby[20];
    format(Bannedby, 20, "Not Banned");
    GetPlayerName(playerid, pname, 24);
    format(query1, sizeof(query1), "INSERT INTO playerdata (user, password, Scores, Cash, Admin, Deaths, Nopm, Muted, Vip, Warn, RegisterDate, Jailed, AdminActions, Cookies, Rank, VipTime, Class, PrototypesStolen, KillAsUsaTeam, KillAsGermanyTeam, KillAsItalyTeam, KillAsJapanTeam, KillAsMercTeam, KillAsMexicoTeam, IP) VALUES('%s', '%s', 0, 0, 0, 0, 0, 0, 0, 0, '%s', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, '%s')", pname, passwordstring, RegDate, GetIP(playerid));
    mysql_query(query1);
    Logged[playerid] = 1;
    WindowForPlayer(playerid, "You are now ~r~registered ~w~to Battlefield War Heroes! Enjoy playing!");
    WelcomeDialog(playerid);
    new echo[130];
    new kname[24];
    GetPlayerName(playerid, kname, 24);
    format(echo,sizeof(echo),"0,3** System: %s (%d) (IP: %s) has registered a new account",pname,playerid,GetIP(playerid));
    IRC_GroupSay(gGroupID, IRC_ACHANNEL, echo);
    new admin[128];
    format(admin,sizeof(admin),"** System: %s (%d) (%s) has registered a new account.",pname,playerid,GetIP(playerid));
    SendMessageToAdmins(LIGHTBLUE,admin);
    new txd[128];
    format(txd,sizeof(txd),"%s (%d) (IP: %s) registered a new account",pname,playerid,GetIP(playerid));
    TextDrawSetString(RegTxd, txd);
    new welcome[130];
    format(welcome, sizeof(welcome), "Welcome to Battlefield War Heroes, ~r~%s! Type ~r~/rules ~w~and ~r~/cmds ~w~for server info.",pname);
    GameTextForPlayer(playerid,welcome,6000,4);
    return 1;
}

Login:

pawn Code:

stock MySQL_Login(playerid)
{
    new query2[650], pname[24], savingstring[20];
    WP_Hash(query2, 650, savingstring);
    GetPlayerName(playerid, pname, 24);
    format(query2, sizeof(query2), "SELECT Scores, Cash, Admin, Deaths, Nopm, Muted, Vip, Warn, RegisterDate, Jailed, AdminActions, Cookies, Rank, VipTime, Class, PrototypesStolen, KillAsUsaTeam, KillAsGermanyTeam, KillAsItalyTeam, KillAsJapanTeam, KillAsMercTeam, KillAsMexicoTeam FROM playerdata WHERE user = '%s'", pname);
    mysql_query(query2);
    mysql_store_result();
    while(mysql_fetch_row_format(query2,"|"))
    {
        mysql_fetch_field_row(savingstring, "Scores"); SetPlayerScore(playerid, strval(savingstring));
        mysql_fetch_field_row(savingstring, "Cash"); MoneyGiven[playerid] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Admin"); PlayerInfo[playerid][Admin] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Deaths"); PlayerInfo[playerid][Deaths] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Nopm"); PlayerInfo[playerid][Nopm] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Muted"); PlayerInfo[playerid][Muted] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Vip"); PlayerInfo[playerid][Vip] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Warn"); PlayerInfo[playerid][Warn] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "RegisterDate"); PlayerInfo[playerid][RegisterDate] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Jailed"); PlayerInfo[playerid][Jailed] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "AdminActions"); PlayerInfo[playerid][AdminActions] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Cookies"); PlayerInfo[playerid][Cookies] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Rank"); PlayerInfo[playerid][Rank] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "VipTime"); PlayerInfo[playerid][VipTime] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Class"); PlayerInfo[playerid][Class] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "PrototypesStolen"); PlayerInfo[playerid][PrototypesStolen] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Exp"); PlayerInfo[playerid][Exp] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "Duty"); PlayerInfo[playerid][Duty] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsUsaTeam"); PlayerInfo[playerid][KillAsUsaTeam] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsGermanyTeam"); PlayerInfo[playerid][KillAsGermanyTeam] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsItalyTeam"); PlayerInfo[playerid][KillAsItalyTeam] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsJapanTeam"); PlayerInfo[playerid][KillAsJapanTeam] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsMercTeam"); PlayerInfo[playerid][KillAsMercTeam] = strval(savingstring);
        mysql_fetch_field_row(savingstring, "KillAsMexicoTeam"); PlayerInfo[playerid][KillAsMexicoTeam] = strval(savingstring);
    }
    mysql_free_result();
    JustLogged[playerid] = 1;
    Logged[playerid] = 1;
    UpdateStatsTextdraw(playerid);
    SendClientMessage(playerid,red,"------------------------------------------------------");
    new playername3[MAX_PLAYER_NAME];
    GetPlayerName(playerid, playername3, sizeof(playername3));
    new string[200],stringg[200];
    format(string,sizeof(string),"* System: Welcome back {F70505}%s (%d) {FFFFFF} - Your stats have been restored.",playername3,playerid);
    format(stringg,sizeof(stringg),"* Level: {F70505}%d {FFFFFF} - Score: {F70505} %d {FFFFFF} - Exp: {F70505}%d {FFFFFF}- CSCash: {F70505} %i -",PlayerInfo[playerid][Admin],PlayerInfo[playerid][Scores],PlayerInfo[playerid][Exp],GetPlayerMoney(playerid));
    SCM(playerid,-1,string);
    SCM(playerid,-1,stringg);
    SendClientMessage(playerid,red,"------------------------------------------------------");


    return 1;
}

The problem is: The registration works, i get registered correctly and the player table is created, but when i login, even if i use the correct password, it gives me "Wrong password". So i guess is a problem related to the reading of the hashed password. Any way to fix?

[RedFusion]

You're using the same string for both the password hash and the query.
Use a separate string for the hash, max hash size is 128+1

[Face9000]

Quote:

Originally Posted by RedFusion You're using the same string for both the password hash and the query. Use a separate string for the hash, max hash size is 128+1

You mean in MySql_Register or Login?

[RedFusion]

Everywhere. You can't use the same variable. It will just overwrite.

[Face9000]

How i have to edit then?

And why i should use different name for WP_Hash function since i have to hash the password that is inside the query1?

[RedFusion]

You hash the password with the native WP_Hash, to the string you want. Then you use this string as the hash, in your query.

[Konstantinos]

You insert the password in the database and not the hashed password. It should be:

pawn Code:

new buff[129];
WP_Hash(buff, 129, passwordstring);
format(query1, sizeof(query1), "INSERT INTO playerdata (user, password, Scores, Cash, Admin, Deaths, Nopm, Muted, Vip, Warn, RegisterDate, Jailed, AdminActions, Cookies, Rank, VipTime, Class, PrototypesStolen, KillAsUsaTeam, KillAsGermanyTeam, KillAsItalyTeam, KillAsJapanTeam, KillAsMercTeam, KillAsMexicoTeam, IP) VALUES('%s', '%s', 0, 0, 0, 0, 0, 0, 0, 0, '%s', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, '%s')", pname, buff, RegDate, GetIP(playerid));

For more information about how to use Whirlpool, read its original thread.

PS: You didn't post the part that loads and checks the password.

[Face9000]

Emh now is worst, it doesn't even allow me to register. When i register and quit, if i rejoin i have to register again.

[Konstantinos]

You're supposed to count the characters. The Query's lenght must be 561 and your query's size is 512. It will fail to execute the query; thus you're never registered.

[Face9000]

Now i can register and it asks me to login, but the same problem of first post. "Wrong password" even if is correct. lol

For more info, this is how password column is made:

Quote:

password varchar(40) latin1_swedish_ci NULL

Looking in mysql log it says:

Quote:

[00:21:23] CMySQLHandler::Query(SELECT `user` FROM playerdata WHERE user = 'Face9000' AND password = SHA1('testpass')) - Successfully executed. [00:21:23] >> mysql_store_result( Connection handle: 1 ) [00:21:23] CMySQLHandler::StoreResult() - Result was stored.

Why is still in SHA1 even if i hashed it?

[Patrick]

Quote:

Originally Posted by Face9000 Now i can register and it asks me to login, but the same problem of first post. "Wrong password" even if is correct. lol For more info, this is how password column is made: Looking in mysql log it says: Why is still in SHA1 even if i hashed it?

The size should be 129! not 40 or else it would not save the full hashed password.

[Konstantinos]

Change password's datatype to VARVHAR(129)

Quote:

Originally Posted by Face9000 Now i can register and it asks me to login, but the same problem of first post. "Wrong password" even if is correct. lol

The problem might be the same but you used the register part incorrect about hashing the password. You need to post the login part so we can help you (the one you posted says nothing). Post the part that you load and compare the passwords.

[Face9000]

Emh hold on. Found why is still in SHA1.

Login dialog:

pawn Код:

if(dialogid == DIALOG_LOGIN)
    {
        if(!response)
        {
        SendClientMessage(playerid, COLOR_RED, "** To play you must be registered or logged in.");
        KickTimer[playerid] = SetTimerEx("KickPlayer",200,false,"d",playerid);
        }
        if(response)
        {
            new query[200], pname[24], escapepass[100];
            GetPlayerName(playerid, pname, 24);
            mysql_real_escape_string(inputtext, escapepass);
            format(query, sizeof(query), "SELECT `user` FROM playerdata WHERE user = '%s' AND password = SHA1('%s')", pname, escapepass);
            mysql_query(query);
            mysql_store_result();
            new numrows = mysql_num_rows();
            if(numrows == 1) MySQL_Login(playerid);
            if(!numrows)
            {
                ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_INPUT, ""White"Please log-in", ""White"Welcome back to "Red""SERVER_NAME""White"!\n"White"In order to start playing, you have to log-in!\n\n"White"Please insert "Red"your"White" password below:", "Login", "Cancel");
                GameTextForPlayer(playerid,"~w~Wrong ~r~password.",2000,6);
            }
            mysql_free_result();
        }
    }

And this is register dialog if you need:

pawn Код:

if(dialogid == DIALOG_REGISTER)
    {
        if(response)
        {
            if(CheckInput(inputtext)) return SendClientMessage(playerid, 0x0000ff, "You cannot use this password.");
            if(!strlen(inputtext) || strlen(inputtext) > 100)
            {
                SendClientMessage(playerid,COLOR_RED,"Please enter a password within the length of 1 - 100 characters.");
                ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_INPUT, ""White"Please register",""White"Welcome to "Red""SERVER_NAME""White"!\n"White"In order to start playing, you have to register!\n\n"White"Please insert a password below:", "Register", "Cancel");
            }
            else if(strlen(inputtext) > 0 && strlen(inputtext) < 100)
            {
                new escpass[100];
                mysql_real_escape_string(inputtext, escpass);
                MySQL_Register(playerid, escpass);
            }
        }
        if(!response)
        {
        SendClientMessage(playerid, COLOR_RED, "** To play you must be registered or logged in.");
        KickTimer[playerid] = SetTimerEx("KickPlayer",200,false,"d",playerid);
        }
    }

@pds2k12: Edited column size.

[Patrick]

Quote:

Originally Posted by Face9000 Emh hold on. Found why is still in SHA1. Login dialog: pawn Код: //code @pds2k12: Edited column size.

Change

pawn Код:

format(query, sizeof(query), "SELECT `user` FROM playerdata WHERE user = '%s' AND password = SHA1('%s')", pname, escapepass);

To

pawn Код:

format(query, sizeof(query), "SELECT `user` FROM playerdata WHERE user = '%s' AND password = '%s'", pname, escapepass);

Shutup mayne, I'm tryna' help someone.

Код:

This forum requires that you wait 240 seconds between posts. Please try again in 19 seconds.

[Konstantinos]

pawn Код:

new query[217], buff[129];
WP_Hash(buff, 129, inputtext);
format(query, sizeof(query), "SELECT `user` FROM playerdata WHERE user = '%s' AND password = '%s'", pname, buff);

[Face9000]

Holy damn lol, finally. Thanks to all for the precious help