[AndreiWow]

Hey guys, I am trying to allow the user to connect using the same account as in game, I use SHA256 and a salt in game so this is what I tried to do:

PHP код:

if(isset($_POST) && array_key_exists('sendit',$_POST))
    {
        $userAccountInput = mysqli_real_escape_string($db,$_POST['username']);
        $userPasswordInput = mysqli_real_escape_string($db,$_POST['password']);
        
        $sql = "SELECT `ID`, `PASSWORD`, `SALT` FROM `USERS` WHERE `USERNAME` = '$userAccountInput'";
        $result = mysqli_query($db,$sql);
        if (!$result) {
            printf("Error: %s\n", mysqli_error($db));
            exit();
        }
        $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
        $active = $row['active'];
        
        $count = mysqli_num_rows($result);
        
        $saltFromDatabase = $row["SALT"];
        $hashFromDatabase = $row["PASSWORD"];
        
        function testPassword($fPassword, $fSaltFromDatabase, $fHashFromDatabase){
            if (hash_hmac("sha256", $fPassword, $fSaltFromDatabase) === $fHashFromDatabase){
                return(true);
            }else{
                return(false);
            }
        } 


PHP код:

if(testPassword($userPasswordInput, $saltFromDatabase, $hashFromDatabase)){
            session_register("userAccountInput");
            $_SESSION['login_user'] = $userAccountInput;
            $_SESSION['user_ID'] = $row[0];
            
                 header("location: ../index.php");
        }else{
            header("location:login.php?msg=failed");
            
        } 


But even if the password is right in game, it still sends the user to the msg=failed, so I assume that this SHA256 does another hash on the password instead of the one that has been done in game.

[Banditul18]

This is my little attempt to make a UCP for sa-mp using sha-256
The php hash function for sha-256 generate lower-case letter , but sa-mp generate upper-case letter at hash, so you need to make the php hash upper-case to match the input and the password from databse

PHP код:

$row = $stmt->fetch(); 
        if($row) 
        { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            
            if(strtoupper($check_password) === $row['password']) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
        } 


[AndreiWow]

I've added strtoupper to my if statement

PHP код:

if(strtoupper(testPassword($userPasswordInput, $saltFromDatabase), $hashFromDatabase)){ 


still not working, did I understand your example wrong?



#EDIT

I tried this too

PHP код:

$check_password = hash('sha256', $row['PASSWORD'] . $row['SALT']);
        
        if(strtoupper($check_password) === $row['password']){ 


still not working :/

[]Kurence[]

echo the output of your hash and $fHashFromDatabase, are they even similar?

[AndreiWow]

Quote:

Originally Posted by ]Kurence[ echo the output of your hash and $fHashFromDatabase, are they even similar?

Nope... its not the same... didn't think to output it, but why... I use sha256 in same places, why it isn't the same..

[]Kurence[]

Hmm, how exactly are you creating the hash in your pawn script?

[AndreiWow]

PHP код:

for (new i = 0; i < 10; i++)
                {
                    PlayerInfo[playerid][Salt][i] = random(79) + 47;
                } 


PHP код:

PlayerInfo[playerid][Salt][10] = 0;
                SHA256_PassHash(inputtext, PlayerInfo[playerid][Salt], PlayerInfo[playerid][pPass], 65); 


[iKarim]

The problem is the PHP's hash function returns a hex encoded string instead of raw bytes by default while PAWN's function returns raw bytes by default, so you have to pass "true" to the 3rd argument like this:

PHP код:

hash('sha256', $row['PASSWORD'] . $row['SALT'], true); 


[AndreiWow]

Quote:

Originally Posted by iKarim The problem is the PHP's hash function returns a hex encoded string instead of raw bytes by default while PAWN's function returns raw bytes by default, so you have to pass "true" to the 3rd argument like this: PHP код: hash('sha256', $row['PASSWORD'] . $row['SALT'], true);

I actually thought of that, will try it later and come back to edit this message.

[Vince]

I just want to note that you shouldn't use the superglobals directly because it makes your site very vulnerable to XSS attacks. While real_escape_string may strip some sensitive symbols I reckon it would still be possible to insert arbitrary HTML and/or Javascript code. Have a look at http://php.net/manual/en/function.filter-input.php

[AndreiWow]

Quote:

Originally Posted by Vince I just want to note that you shouldn't use the superglobals directly because it makes your site very vulnerable to XSS attacks. While real_escape_string may strip some sensitive symbols I reckon it would still be possible to insert arbitrary HTML and/or Javascript code. Have a look at http://php.net/manual/en/function.filter-input.php

So I should use something like:

PHP код:

$user_ID = filter_input(INPUT_GET, '$row[ID]', FILTER_SANITIZE_NUMBER_INT); 


for all the variables?

The question is, how do I make those global? I wasn't aware of those possible attacks as I am still learning, all tutorials that I've read were teaching me to use session variables and noone of those mentioned anything about a safe way to do them.

[Vince]

You only have to sanitize user input, i.e. stuff that is passed through $_GET, $_POST or $_REQUEST. Whatever is already stored in the database ought to be already clean and doesn't have to be cleaned again.

So instead of

PHP код:

$user = $_POST['user']; 


you do

PHP код:

$user = filter_input(INPUT_POST, 'user', FILTER_SANITIZE_STRING); 


[AndreiWow]

Quote:

Originally Posted by Vince You only have to sanitize user input, i.e. stuff that is passed through $_GET, $_POST or $_REQUEST. Whatever is already stored in the database ought to be already clean and doesn't have to be cleaned again. So instead of PHP код: $user = $_POST['user'];  you do PHP код: $user = filter_input(INPUT_POST, 'user', FILTER_SANITIZE_STRING);

Thanks alot for letting me know.

Also, I use session variables to be able to use those variables on other pages too, is there any other better way because I heard that sessions can be hijacked, I don't think that anyone will waste his time to hijack a SAMP UCP session but still.

[]Kurence[]

Bind a session to an IP - when player logs in, save his IP as session variable. Then when you receive some request, always make sure that real IP and this saved IP is the same

[AndreiWow]

Quote:

Originally Posted by ]Kurence[ Bind a session to an IP - when player logs in, save his IP as session variable. Then when you receive some request, always make sure that real IP and this saved IP is the same

What if player's IP changes? For example a dynamic IP or if they use some sort of software that changes it, I've read about this on ****** but I also found that it is not that good due to the IPs changing...

[BlackBank]

Quote:

Originally Posted by AndreiWow What if player's IP changes? For example a dynamic IP or if they use some sort of software that changes it, I've read about this on ****** but I also found that it is not that good due to the IPs changing...

Well, the user has to login again. There is no need to save there sessions/ip's permanently.

You just have to check if the session exists with the current ip address that is assigned, if so, then he still will be logged in, if not, just delete the user session. You can get the current session of a request/user with: http://php.net/manual/en/function.session-id.php

[AndreiWow]

It was actually my bad... I was using the username to match instead of the password, fixed it, silly mistake.. thanks everyone, and if there is someone else who wishes to share any tips with me just reply I always like to learn new things, thanks to those from above to suggested me security fixes.