[s3rserii]

Hey,
i have a mysql code problem. If i try to connect on my server and type my password for my account, and if i type any password like "1" or "dfnjese" (not my password) it will be work. What is flae in my code?
i use md5 to secure my passwords.

Код:

		case DIALOG_LOGIN:
		{
			if(response)
			{
				if(strlen(inputtext) == 0)
				{
					ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FF0000}Bloodz {FFFFFF}n {00FF00}Cripz {FFFFFF}- {FFFF00}Login", "{FFFFFF}Es freut uns dich wieder auf unserem Server zu sehen!\nBitte gebe dein {00FF00}Passwort {FFFFFF}ein um dich in deinem Account einzuloggen", "Einloggen", "Abbrechen");
					return 1;
				}
				else
				{
					new SpielerName[MAX_PLAYER_NAME];
					GetPlayerName(playerid, SpielerName, MAX_PLAYER_NAME);
                    if(!strcmp(MD5_Hash(inputtext), mysql_ReturnPasswort(SpielerName), true))
					{
						SetPVarInt(playerid,"Eingeloggt",1);
						LoadPlayer(playerid);
						SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Du bist nun eingeloggt. Viel spaЯ auf dem Server.");
						SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Bitte wдhle eine Gang aus.");
						return 1;
					}
                    else
					{
						ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FF0000}Bloodz {FFFFFF}n {00FF00}Cripz {FFFFFF}- {FFFF00}Login", "{00FF00}Password flasch!\n{FFFFFF}Bitte gebe dein {00FF00}Passwort {FFFFFF}ein um dich in deinem Account einzuloggen", "Einloggen", "Abbrechen");
						return 1;
					}
				}
			}
			else
			{
				SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Du brauchst leider ein Account um auf dem Server spielen zu kцnnen.");
				Kick(playerid);
			}
		}

Код:

stock mysql_ReturnPasswort(Name[])
{
    new query[130], Get[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT md5(`Password`) FROM `Accounts` WHERE `Name` = '%s'", Name);
    mysql_query(query);
    mysql_store_result();
    mysql_fetch_row(Get);
    mysql_free_result();
    return Get;
}

Код:

stock CreateAccount(playerid, pass[])
{
    new query[256],Name[MAX_PLAYER_NAME];
    GetPlayerName(playerid, Name, MAX_PLAYER_NAME);
    mysql_real_escape_string(Name,Name);
    mysql_real_escape_string(pass,pass);
    format(query, sizeof(query), "INSERT INTO `Accounts` (`Name`, `Password`) VALUES ('%s', md5('%s'))", Name, pass);
    mysql_query(query);
    return true;
}

hope for help

[s3rserii]

any idea?

[[MG]Dimi]

what is md5? I'm using MySQl for a long time and never seen something like that.

[s3rserii]

Quote:

Originally Posted by [MG]Dimi what is md5? I'm using MySQl for a long time and never seen something like that.

are you serious? xD

md5 is one of the most used encoding system for passwords

[[HiC]TheKiller]

pawn Код:

format(query, 128, "SELECT md5(`Password`) FROM `Accounts` WHERE `Name` = '%s'", Name);

That is an incorrect statement. You're fetching data in the column name. This is how it should be done:

pawn Код:

format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s'", Name);

You already save the password into the database anyway, here is a far better way of doing what you're doing.

pawn Код:

stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return = mysql_num_rows();
    mysql_free_result();
    if(return != 0) return 1;
    return 0;
}

Lastly, MD5 is probably the worst algorithm you could use. Most MD5 passwords can be cracked easily with websites online that offer this function.

[s3rserii]

hey,
thx, it now works right without the md5 tag. It was dump to doublemd5 the password xD
Yeah but if i use a salt fo my md5 than its safer right? ^^

If i will use your code:

Код:

stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return = mysql_num_rows();
    mysql_free_result();
    if(return != 0) return 1;
    return 0;
}

how i must chek it right in my case DIALOG_LOGIN:

can u give me a simple way

[[HiC]TheKiller]

Quote:

Originally Posted by s3rserii hey, thx, it now works right without the md5 tag. It was dump to doublemd5 the password xD Yeah but if i use a salt fo my md5 than its safer right? ^^ If i will use your code: Код: stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password { new query[130]; mysql_real_escape_string(Name, Name); format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password); mysql_query(query); mysql_store_result(); new return = mysql_num_rows(); mysql_free_result(); if(return != 0) return 1; return 0; } how i must chek it right in my case DIALOG_LOGIN: can u give me a simple way

SHA1 is even more secure, whirlpool would be ideal. All you would need to do in the input dialog is instead of using strcmp, do this:

pawn Код:

if(!mysql_ReturnPasswort(SpielerName, inputtext)) //If the person typed the wrong password

[s3rserii]

ok, i will look to secure with whirlpool,

code error

Код:

error 001: expected token: "-identifier-", but found "return"

[[HiC]TheKiller]

pawn Код:

stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return_v = mysql_num_rows();
    mysql_free_result();
    if(return_v != 0) return 1;
    return 0;
}

Sorry, I accidentally named the variable return :P.

[s3rserii]

thx now it works fine