MySQL <> login with any password
#1

Hey,
i have a mysql code problem. If i try to connect on my server and type my password for my account, and if i type any password like "1" or "dfnjese" (not my password) it will be work. What is flae in my code?
i use md5 to secure my passwords.

Код:
		case DIALOG_LOGIN:
		{
			if(response)
			{
				if(strlen(inputtext) == 0)
				{
					ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FF0000}Bloodz {FFFFFF}n {00FF00}Cripz {FFFFFF}- {FFFF00}Login", "{FFFFFF}Es freut uns dich wieder auf unserem Server zu sehen!\nBitte gebe dein {00FF00}Passwort {FFFFFF}ein um dich in deinem Account einzuloggen", "Einloggen", "Abbrechen");
					return 1;
				}
				else
				{
					new SpielerName[MAX_PLAYER_NAME];
					GetPlayerName(playerid, SpielerName, MAX_PLAYER_NAME);
                    if(!strcmp(MD5_Hash(inputtext), mysql_ReturnPasswort(SpielerName), true))
					{
						SetPVarInt(playerid,"Eingeloggt",1);
						LoadPlayer(playerid);
						SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Du bist nun eingeloggt. Viel spaЯ auf dem Server.");
						SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Bitte wдhle eine Gang aus.");
						return 1;
					}
                    else
					{
						ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FF0000}Bloodz {FFFFFF}n {00FF00}Cripz {FFFFFF}- {FFFF00}Login", "{00FF00}Password flasch!\n{FFFFFF}Bitte gebe dein {00FF00}Passwort {FFFFFF}ein um dich in deinem Account einzuloggen", "Einloggen", "Abbrechen");
						return 1;
					}
				}
			}
			else
			{
				SendClientMessage(playerid, lightgreen, "{FFFF00}[SERVER] {FFFFFF}Du brauchst leider ein Account um auf dem Server spielen zu kцnnen.");
				Kick(playerid);
			}
		}
Код:
stock mysql_ReturnPasswort(Name[])
{
    new query[130], Get[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT md5(`Password`) FROM `Accounts` WHERE `Name` = '%s'", Name);
    mysql_query(query);
    mysql_store_result();
    mysql_fetch_row(Get);
    mysql_free_result();
    return Get;
}
Код:
stock CreateAccount(playerid, pass[])
{
    new query[256],Name[MAX_PLAYER_NAME];
    GetPlayerName(playerid, Name, MAX_PLAYER_NAME);
    mysql_real_escape_string(Name,Name);
    mysql_real_escape_string(pass,pass);
    format(query, sizeof(query), "INSERT INTO `Accounts` (`Name`, `Password`) VALUES ('%s', md5('%s'))", Name, pass);
    mysql_query(query);
    return true;
}
hope for help
Reply
#2

any idea?
Reply
#3

what is md5? I'm using MySQl for a long time and never seen something like that.
Reply
#4

Quote:
Originally Posted by [MG]Dimi
Посмотреть сообщение
what is md5? I'm using MySQl for a long time and never seen something like that.
are you serious? xD

md5 is one of the most used encoding system for passwords
Reply
#5

pawn Код:
format(query, 128, "SELECT md5(`Password`) FROM `Accounts` WHERE `Name` = '%s'", Name);
That is an incorrect statement. You're fetching data in the column name. This is how it should be done:

pawn Код:
format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s'", Name);
You already save the password into the database anyway, here is a far better way of doing what you're doing.

pawn Код:
stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return = mysql_num_rows();
    mysql_free_result();
    if(return != 0) return 1;
    return 0;
}
Lastly, MD5 is probably the worst algorithm you could use. Most MD5 passwords can be cracked easily with websites online that offer this function.
Reply
#6

hey,
thx, it now works right without the md5 tag. It was dump to doublemd5 the password xD
Yeah but if i use a salt fo my md5 than its safer right? ^^

If i will use your code:

Код:
stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return = mysql_num_rows();
    mysql_free_result();
    if(return != 0) return 1;
    return 0;
}
how i must chek it right in my case DIALOG_LOGIN:

can u give me a simple way
Reply
#7

Quote:
Originally Posted by s3rserii
Посмотреть сообщение
hey,
thx, it now works right without the md5 tag. It was dump to doublemd5 the password xD
Yeah but if i use a salt fo my md5 than its safer right? ^^

If i will use your code:

Код:
stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return = mysql_num_rows();
    mysql_free_result();
    if(return != 0) return 1;
    return 0;
}
how i must chek it right in my case DIALOG_LOGIN:

can u give me a simple way
SHA1 is even more secure, whirlpool would be ideal. All you would need to do in the input dialog is instead of using strcmp, do this:
pawn Код:
if(!mysql_ReturnPasswort(SpielerName, inputtext)) //If the person typed the wrong password
Reply
#8

ok, i will look to secure with whirlpool,

code error
Код:
error 001: expected token: "-identifier-", but found "return"
Reply
#9

pawn Код:
stock mysql_ReturnPasswort(Name[], password[]) //Put inputtext as password
{
    new query[130];
    mysql_real_escape_string(Name, Name);
    format(query, 128, "SELECT Password FROM `Accounts` WHERE `Name` = '%s' AND Password = MD5('%s')", Name, password);
    mysql_query(query);
    mysql_store_result();
    new return_v = mysql_num_rows();
    mysql_free_result();
    if(return_v != 0) return 1;
    return 0;
}
Sorry, I accidentally named the variable return :P.
Reply
#10

thx now it works fine
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)