Jump to content
AriusII

Other [PHP/PDO] IntersectCMS, problem with hashing password ..?

Recommended Posts

Hello everyone :) !

I'm doing a little project for this community, having a WebSite for your own game server !

This CMS use my own base code for other CMS game website and work like a charm, I just edit it for make working with Intersect / MySQL ( And maybe SQLite too if i'm motivate to do sqlite jdbc connection ).

But I'm a bit frustate about something..,

I have a problem about my login form ( B-E code ) exactly about hashing password result.,
If my password in clear is : Dragon123 and my Salt is : 357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188
It's making the hash form like this = Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188
Right ?
My Password collumn saying me, the result it's : 7DE02F71146E0BA0B33BFB7BBA8C99A258DEEF71FD83C401F5CD240C2A1F8352

I have try to go here : https://passwordsgenerator.net/sha256-hash-generator/ and do my clear password + Salt. ( cf Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 )
and getting an other hash : 309407CFBF0798BB31795E88384B4482F2A296C54CA1FEB8AD52A7AFCA5B0CCA
You can try it .. and you can see it's not the same result / hashing.
So here it's my first problem and after read the docs by @jcsnider ( https://www.freemmorpgmaker.com/docs/en/Advanced_Topics/Database.html ) No doubt about the password encryption ...

it's in PHP/PDO.
Here it's my page about the connection (asking if value are correct and be able to logon the site):
 

Spoiler

<?PHP
  
if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) 
{
    if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass'])) 
    {
        $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email 
                                      FROM  users 
                                      WHERE  Name = :name');
 // I PREPARE MY SELECT FOR THE SQL COMMAND ' :name ' is my pdo var for the execute command more security reason.
        $stmt->execute(['name' => $_POST['userid']]);
        $stmt_r = $stmt->rowCount(); // Getting the row of the select if something match ?
        $fetch = $stmt->fetch(); // Get all value storage in memory/cache 
        $hash = hash('sha256', $_POST['userpass'].$fetch['Salt']); // Try to hash my clear password ( enter in the web textbox with my Salt ( we get the salt with my fetch ) we correctly hashing it in SHA256.
        if ($hash === $fetch['Password'])  // We do the comparasion about my recent hash and the stored password hash stored in database
        {
            echo 'Work!!!!'; // Tryed to look if connected ...
// Connecté
            if($stmt_r>0) //get my value if the connection is good ( having a matching value )
              {
            $getAdmin = $stmt->FetchObject(); // Start a Session for other settings ...
            $_SESSION['user_id'] = $getAdmin->Id;
            $_SESSION['user_name'] = $getAdmin->Name;
            $_SESSION['user_admin'] = $getAdmin->Web_Admin;
            $_SESSION['user_email'] = $getAdmin->Email;
            $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$getAdmin->Id."'");
              }
        }
    }
}


And as you could see, I do the same procedure... but not working, someone know why ..? 
- Arius

Share this post


Link to post
Share on other sites

The pass field in the database uses a hashed pass and not a plain text pass.

SHA256 (Hashed Pass + Salt)

 

As for getting PHPs hashing to work exactly like C#s I don't have a perfect answer of the top of my head at this moment.. I'll play with this some and follow up soon.

 

Share this post


Link to post
Share on other sites

Ohhhh ! Ok thanks ! Sorry !
I was thinked it's plain text pass + Salt, but you do two convertion.
Sha256 + PlainText = hash1
Hash1+Salt = hash2 = Password.

It's done :D !

Share this post


Link to post
Share on other sites

Yeah it's working ... just needed to do some convertions :
 

Spoiler

<?PHP
  
if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) 
{
    if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass'])) 
    {
        $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email,Web_Admin
                                      FROM  users 
                                      WHERE  Name = :name');
        $stmt->execute(['name' => $_POST['userid']]);
        $fetch = $stmt->FetchObject();
        $hash1 = hash('sha256', $_POST['userpass']);
        $hash = hash('sha256', strtoupper($hash1).$fetch->Salt);
        $stmt_r = $stmt->rowCount();
        if (strtoupper($hash) == $fetch->Password)
        {
            if($stmt_r>0) 
              {
            $_SESSION['user_id'] = $fetch->Id;
            $_SESSION['user_name'] = $fetch->Name;
            $_SESSION['user_admin'] = $fetch->Web_Admin;
            $_SESSION['user_email'] = $fetch->Email;
            $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$fetch->Id."'");
              }
        }
    }
}

  if(empty($_SESSION['user_id'])) 
  {
    unset($_SESSION['user_id']);
    unset($_SESSION['user_name']);
    unset($_SESSION['user_admin']);
    unset($_SESSION['user_email']);
  }
  else {
    $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Password,Salt,Email,Web_Admin
                              FROM  users 
                              WHERE Web_Ip = :ip
                              AND Id = :id');
    $stmt->execute(['ip' => $_SERVER['REMOTE_ADDR'],'id' => $_SESSION['user_id']]); 
    $stmt_r = $stmt->rowCount();
    if($stmt_r>0)  
    {
      $getAdmin = $stmt->FetchObject();
      $_SESSION['user_id'] = $getAdmin->Id;
      $_SESSION['user_name'] = $getAdmin->Name;
      $_SESSION['user_admin'] = $getAdmin->Web_Admin;
      $_SESSION['user_email'] = $getAdmin->Email;
    }
    else
    {
        unset($_SESSION['user_id']);
        unset($_SESSION['user_name']);
        unset($_SESSION['user_admin']);
        unset($_SESSION['user_email']);
    }
  }



Here it is a gif for making the exemple.
https://i.imgur.com/JQasyyF.gifv

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×