Password hashing problem.
#1

Alright basically when you join you get a temp password, if you get accepted that password gets used to create a player account, if not it removes it, that works fine, however once the player gets accepted and relogs and they enter their password it's saying it is incorrect, I'm really stumped and cannot find the problem.


Код:
Dialog:Register(playerid, response, listitem, inputtext[])
{
    if (response)
    {
		if(isnull(inputtext))
		{
			//Dialog here
			return 1;
		}
		if(strlen(inputtext) < 6)
		{
                        //Dialog here
			return 1;
		}
		SetPVarInt(playerid, "Approve", 0);
		SetPVarString(playerid, "TempPassword", inputtext);
		SetPVarInt(playerid, "TutQuestAmount", 0);
		SetIntVar(playerid, "RegisterPart", 1);
		return CallRemoteFunction("TutorialAnswers","i",playerid);
    }
    else
    {
            //Kick
    }
    return 1;
}
My login dialog,

Код:
Dialog:Login(playerid, response, listitem, inputtext[])
{
    if (response)
    {
		if(isnull(inputtext))
		{
			//DIALOG CODE
			return 1;
		}
		new pass[129];

		WP_Hash(pass, sizeof(pass), inputtext);

		format(query, sizeof(query), "SELECT * FROM `users` WHERE `name` = '%s' AND `password` = '%s' LIMIT 0,1", GetName(playerid), pass);
		mysql_function_query(dbHandle, query, true, "LoginPlayer", "i", playerid);
    }
    else
    {
           //Kick
    }
    return 1;
}
Код:
public TutorialAnswers(playerid)
{
	new string[128], playersip[32];
    if(GetPVarInt(playerid, "TutQuestAmount") >= 10)
    {
        GetPlayerIp(playerid,playersip,sizeof(playersip));
        DeletePVar(playerid,"AppSetup"), DeletePVar(playerid,"TutQuestAmount");
		new stxt[65];
		GetPVarString(playerid,"TempPassword",stxt,65);
		SHA256_PassHash(stxt, HASH_KEY, stxt, 65);
		DeletePVar(playerid,"TempPassword");
    }
blah blah, then if we approve the player, and it calls the OnPlayerRegister function.

Код:
format(query, sizeof(query), "SELECT `Pass` FROM `applications` WHERE `Name`='%s'", name);
mysql_function_query(dbHandle, query, true, "OnPlayerRegister", "s", name);
Код:
public OnPlayerRegister(name[])
{
	if(cache_get_row_count() < 1) return print("[ERROR] OnPlayerRegister returned 'rows' as '0'.");
	new password[65], string[64], ip[16];
	cache_get_field_content(0, "Pass", password);
	new playerid = FindPlayer(name);
	if(playerid != -1)
	{
                 // if player is online
		CreatePlayerAccount(playerid, password);
	}
	else
	{
              //else code
	}
	return 1;
}
Код:
stock CreatePlayerAccount(playerid, password[])
{
	new ip[16], pass[129];
	WP_Hash(pass, sizeof(pass), password);
	GetPlayerIp(playerid, ip, sizeof(ip));
	format(query, sizeof(query), "INSERT INTO `users` (name, password, registered, origin, playerIP) VALUES ('%s', '%s', 0, 'None', '%s')", GetName(playerid), pass, ip);
	mysql_function_query(dbHandle, query, true, "OnPlayerCreateAccount", "d", playerid);
	return 1;
}
Reply
#2

You are mixing Whirlpool and SHA256 (+salt), which are two different hashing algorithms with a different output hash. They are not interchangeable. While touching the subject of security, there's absolutely no need to save the user's password in a variable in its plain form. Store it as a hash immediately after it has been inputted in the dialog.
Reply
#3

I've also completely removed SHA256 hashing and used Whirlpool instead for TutorialAnswers and i received the same output.
Reply
#4

Is the hash correctly being saved and loaded? An obvious thing to do would be to reset the account and register it again, I can only assume you have done so already.
Reply
#5

Yes it is being saved and loaded correctly as i believe and i've also tried that.
Reply
#6

There must be an error in either your new implementation of Wirlpool without SHA256 or a problem in your saving/loading script. Can you update the topic with all code related to the above mentioned? Also, I am assuming that you are leaving out big chunks of code between logical blocks (if password from the database is equal to the hashed input of the login dialog, etc..). If not, you have to do exactly that: evaluate whether the hashed input of the login dialog exactly matches the hashed password from the database (use strcmp for a string comparison; it returns a non-zero value [1 or -1] when string1 has non-matching characters with string2: https://sampwiki.blast.hk/wiki/Strcmp)

PHP код:
Dialog:Login(playeridresponselistiteminputtext[]) {
    if(
response) {
        if(
isnull(inputtext)) {
             
// ...
        
}
        new 
hashedinput[129];
        
WP_Hash(hashedinputsizeof(hashedinput), inputtext);
        if(!
strcmp(hashedinputpassword_from_db)) {
            
// Hashed input matches hashed password from the database
        
}
        else {
            
// else ...
        
}
    }
    return 
1;

Reply
#7

Yeah, do you have skype or we can forum pm, so it's easier to share and explain?
Reply
#8

Still having troubles.. :/
Reply
#9

Bump i believe it is a loading problem anyone have any ideas?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)