AriusII Posted March 25, 2019 Posted March 25, 2019 Hello everyone  ! I'm doing a little project for this community, having a WebSite for your own game server ! This CMS use my own base code for other CMS game website and work like a charm, I just edit it for make working with Intersect / MySQL ( And maybe SQLite too if i'm motivate to do sqlite jdbc connection ).But I'm a bit frustate about something.., I have a problem about my login form ( B-E code ) exactly about hashing password result., If my password in clear is : Dragon123 and my Salt is : 357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 It's making the hash form like this = Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 Right ? My Password collumn saying me, the result it's : 7DE02F71146E0BA0B33BFB7BBA8C99A258DEEF71FD83C401F5CD240C2A1F8352 I have try to go here : https://passwordsgenerator.net/sha256-hash-generator/ and do my clear password + Salt. ( cf : Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 ) and getting an other hash : 309407CFBF0798BB31795E88384B4482F2A296C54CA1FEB8AD52A7AFCA5B0CCA You can try it .. and you can see it's not the same result / hashing. So here it's my first problem and after read the docs by @jcsnider ( https://www.freemmorpgmaker.com/docs/en/Advanced_Topics/Database.html ) No doubt about the password encryption ... it's in PHP/PDO. Here it's my page about the connection (asking if value are correct and be able to logon the site):  Spoiler <?PHP   if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) {   if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass']))   {      $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email                     FROM  users                     WHERE  Name = :name');  // I PREPARE MY SELECT FOR THE SQL COMMAND ' :name ' is my pdo var for the execute command more security reason.       $stmt->execute(['name' => $_POST['userid']]);       $stmt_r = $stmt->rowCount(); // Getting the row of the select if something match ?       $fetch = $stmt->fetch(); // Get all value storage in memory/cache       $hash = hash('sha256', $_POST['userpass'].$fetch['Salt']); // Try to hash my clear password ( enter in the web textbox with my Salt ( we get the salt with my fetch ) we correctly hashing it in SHA256.       if ($hash === $fetch['Password']) // We do the comparasion about my recent hash and the stored password hash stored in database       {          echo 'Work!!!!'; // Tryed to look if connected ... // Connecté          if($stmt_r>0) //get my value if the connection is good ( having a matching value )          {          $getAdmin = $stmt->FetchObject(); // Start a Session for other settings ...          $_SESSION['user_id'] = $getAdmin->Id;          $_SESSION['user_name'] = $getAdmin->Name;          $_SESSION['user_admin'] = $getAdmin->Web_Admin;        $_SESSION['user_email'] = $getAdmin->Email;        $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$getAdmin->Id."'");          }       }   } } And as you could see, I do the same procedure... but not working, someone know why ..? - Arius
jcsnider Posted March 25, 2019 Posted March 25, 2019 The pass field in the database uses a hashed pass and not a plain text pass. SHA256 (Hashed Pass + Salt) Â As for getting PHPs hashing to work exactly like C#s I don't have a perfect answer of the top of my head at this moment.. I'll play with this some and follow up soon. Â AriusII 1
AriusII Posted March 25, 2019 Author Posted March 25, 2019 Ohhhh ! Ok thanks ! Sorry ! I was thinked it's plain text pass + Salt, but you do two convertion. Sha256 + PlainText = hash1 Hash1+Salt = hash2 = Password. It's done  ! Sweet Candy 1
AriusII Posted March 25, 2019 Author Posted March 25, 2019 Yeah it's working ... just needed to do some convertions :  Spoiler <?PHP   if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) {   if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass']))   {      $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email,Web_Admin                     FROM  users                     WHERE  Name = :name');       $stmt->execute(['name' => $_POST['userid']]);       $fetch = $stmt->FetchObject();       $hash1 = hash('sha256', $_POST['userpass']);       $hash = hash('sha256', strtoupper($hash1).$fetch->Salt);       $stmt_r = $stmt->rowCount();       if (strtoupper($hash) == $fetch->Password)       {          if($stmt_r>0)          {          $_SESSION['user_id'] = $fetch->Id;          $_SESSION['user_name'] = $fetch->Name;          $_SESSION['user_admin'] = $fetch->Web_Admin;        $_SESSION['user_email'] = $fetch->Email;        $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$fetch->Id."'");          }       }   } }  if(empty($_SESSION['user_id']))  {   unset($_SESSION['user_id']);   unset($_SESSION['user_name']);   unset($_SESSION['user_admin']);   unset($_SESSION['user_email']);  }  else {   $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Password,Salt,Email,Web_Admin                FROM  users                WHERE Web_Ip = :ip                AND Id = :id');   $stmt->execute(['ip' => $_SERVER['REMOTE_ADDR'],'id' => $_SESSION['user_id']]);   $stmt_r = $stmt->rowCount();   if($stmt_r>0)    {    $getAdmin = $stmt->FetchObject();    $_SESSION['user_id'] = $getAdmin->Id;    $_SESSION['user_name'] = $getAdmin->Name;    $_SESSION['user_admin'] = $getAdmin->Web_Admin;    $_SESSION['user_email'] = $getAdmin->Email;   }    else    {       unset($_SESSION['user_id']);       unset($_SESSION['user_name']);       unset($_SESSION['user_admin']);       unset($_SESSION['user_email']);    }  } Here it is a gif for making the exemple.https://i.imgur.com/JQasyyF.gifv Xeno, Worldofjimmy, Sweet Candy and 1 other 4
AriusII Posted March 26, 2019 Author Posted March 26, 2019 #Request Close / Delete Thread ? Reason : I would like to do a correct thread about this; More Organised. Worldofjimmy 1
Recommended Posts