[erorche]

Hello,dear scripters i'v found some bugs of my gamemode(luckely)the login/registering system...my system is MySQL and i'm afraid hosting it without Whirpool or md5 or SHA1 becouse isn't safe for my players they could get hack and i will lose my players...can somebody install md5,sha1 or whirpool on the scripts? please and one quiestion,is possible to get hacked without whirpool,md5,sha1 ?

CODES:

pawn Код:

public OnPlayerRegister(playerid, password[])
{
    if(IsPlayerConnected(playerid))
    {
        new string[128];
        new pName[MAX_PLAYER_NAME];
        pName = PlayerName(playerid);
        if(AccountExists(pName))
        {
            SendClientMessage(playerid, COLOR_WHITE, "ERROR! Your account exists! Please reconnect, if this repeats contact administrators on forums!");
            Kick(playerid);
            return 1;
        }
        new Escape[2][128];
        mysql_real_escape_string(pName, Escape[0]); // This function makes sure you don't get MySQL injected. Read about it by searching it on ******.
        SaveToMysql(password);
        mysql_real_escape_string(password, Escape[1]);
        format(string, 128, "INSERT INTO players (`Name`, `Key`) VALUES('%s', '%s')", Escape[0], Escape[1]);
        mysql_query_ex(string);
        gPlayerAccount[playerid] = 1;
        JustReg[playerid] = 1;
        OnPlayerDataSave(playerid);
    }
    return 1;
}
public OnPlayerLogin(playerid,password[])
{
    SendClientMessage(playerid, COLOR_WHITE, "Logging you in.");
    new string2[128], string[1024], pName[MAX_PLAYER_NAME], Escape[2][128], result[128];//keystring[256],
    pName = PlayerName(playerid);
    mysql_real_escape_string(pName, Escape[0]);
    SaveToMysql(password);
    mysql_real_escape_string(password, Escape[1]);
    format(string, sizeof(string), "SELECT * FROM players WHERE `Name`='%s' AND `Key`='%s'",Escape[0],Escape[1]);
    mysql_query_ex(string);
    mysql_store_result();
    SendClientMessage(playerid, COLOR_WHITE, "Checking your password...");
    if(mysql_num_rows() == 0)
    {
        mysql_free_result();
        SendClientMessage(playerid, COLOR_RED, "Your password is wrong!");
        ShowPlayerDialog(playerid, LOGIN_DIALOG, 1, "{3399CC}Information", "{FFFFFF}You have an account here, please type below your password to login.", "Login", "Quit");
        WrongPass[playerid]++;
        if(WrongPass[playerid]>6)
        {
            Kick(playerid);
        }
        return 1;
    }

[knackworst]

pawn Код:

//Global variable
new PlayerPassword[MAX_PLAYERS][129] //In this we are going to store the hashed password

//OnPlayerRegister
WP_Hash(PlayerPassWord[playerid][Password], 129, password); //Now we hash 'password' which is the password sent to OnPlayerRegister and store it into PlayerPassWord
//So to enter it in the database: 
mysql_real_escape_string(PlayerPassWord[playerid][Password], Escape[1]);

//I'm not sure if it works 100 percent because I use SQLite, which is similar but slightly different.

[dominik523]

well as ****** said, there aren't any known ways of hacking a whirpool saved data. Plus you can escape your strings while loading/saving data from DB. You are secure with using that two systems.

[erorche]

@knackworst
-Well i put those variables to OnPlayerRegister and OnPlayerLogin right? and no hacking

@dominik523
-Can i be hacked without md5/whirpool and sha1? and can you help me with instaling md5 in the scripts? please

[dominik523]

well whirpool is here just to encrypt your data. So if someone hacks your files, he won't know what is hidden under that encryption. Look in the thread for whirpool on how to use it. You will just need it for your login and register system.

[erorche]

can you give me some codes how to make whirpool protect my data?
the knackworst what do you think it will work?

[dominik523]

like knackworst wrote, you need to use WP_Hash function each time player enters i.e. his password. After entering the password, hashed password is saved into player's stats.
When the player tries to log in, text that he enters in dialog box is hashed and compared to saved one, which is also hashed. I can't give you any code examples right now, get some GM and see it's register and log in code.

[erorche]

Ahmm thanks but when i write knackworst codes my server.exe can't run :S

[dominik523]

Did you add this on the top of your script?

Код:

native WP_Hash(_buffer[], len, const str[]);

and do you also have a whirpool plugin included? I mean in your server.cfg