Jump to content

[MySQL]I can't check username and password for mysql login system


Asokanta

Recommended Posts

Hello guys,i'm making own login-register system using MySQL but i when i can't check username and password ;

local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=?",username,password )
local result = dbPoll ( sorgu, -1 )
if result == 1 then

I'm using this code for select data it but i can't get result for check 

(there is no console logs it's failing when i try the command)

Link to comment

Result is never going to be 1, it's either nil, false or a table. Try

 

local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=? LIMIT 1",username,password )
local result = dbPoll ( sorgu, -1 )
if result and #result >= 1 then

 

Link to comment
function sqlGiris ( player,command ,arg1 , arg2 , oyuncu)
local command = "girisyap" 
local username = arg1
local password = arg2

if( command ) and (arg1 ~= "" and arg1 ~= nil and arg2 ~= "" and arg2 ~= nil) then

local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=? LIMIT 1",username,password )
local result = dbPoll ( sorgu, -1 )
if result and #result >= 1 then

outputDebugString("Giris Basarili.")--Login Confirmed.
else
outputDebugString("Giris Basarisiz.")--Login Error.
end
end
end
addCommandHandler("girisyap",sqlGiris)

 

when i try command with arguments it says always login confirmed 

Link to comment

So, your login function looks super wrong to me, first of all the variables handed to the function are local variables, so local username = arg1 etc. is totally unnecessary. Secondly, when handling sensitive data like a usernames and passwords you should always take proper security measures. At this point I'm afraid of creating an account on any MTA server with a password other than 12345...it seems noone takes security serious.

Saving usernames and passwords is no joke, if your database is hacked the hacker has all the players usernames and passwords as clear text. Many people use one password for pretty much everything, while that isn't something you can change you can at least try to put a little effort into securing your players data.

A proper way to do this looks something like this:

--[[
- Attempts to log the player into the given account
-
-	@param <string> username: Username for the account
-	@param <string> password: Password for the account
]]
function requestPlayerLogin( username, password )
	if not username or not password or username == "" or password == "" then
		outputDebugString( "Function requestPlayerLogin called without an username or password.", 2 )
		return
	end

	-- get the account from the database
	local result = databaseQuery( "account", "SELECT `account_id`, `name`, `password`, `online` FROM `accounts` WHERE `name`=?", username )
	if result then
		-- grab the account data from the query result
		local account = result[1]
		
		-- get the salt from the password field and hash the password send by the client
		local salt = string.sub( account.password, 65 )
		password = sha256( salt..password )
		
		-- check if the hash and the database hash match
		if password == string.sub( account.password, 1, 64 ) then
			-- check the online state of the account
			if account.online == 1 then
				-- let the player know that his account is already logged in
				outputChatBox( string.format( loc(client, "your_account_is_already_logged_in"), get("website") ), client, 255, 128, 128 )
				return
			else
				-- set the accounts online flag
				result = databaseQuery( "account", "UPDATE `accounts` SET `online`=1, `last_online`=CURRENT_TIMESTAMP WHERE (`account_id`='?')", account.account_id )
				if result then
					outputDebugString( "Successfully logged player ".. getPlayerName(client) .." in." )
					
					-- save the players account id
					playerAccount[client] = account.account_id
					playerAccountName[client] = account.name
					
					-- trigger the server and client login event
					triggerEvent( "onPlayerSQLLogin", resourceRoot, client, account_id )
					triggerClientEvent( client, "onClientPlayerLogin", resourceRoot )
					
					-- log a successfull login
					databaseQuery( "account", "INSERT INTO `accountlogins` (`account`, `address`, `serial`, `success`) VALUES (?,?,?,?)", account.account_id, getPlayerIP(client), getPlayerSerial(client), 1 )
					return
				end
			end
		end
		
		-- log a failed login attempt
		databaseQuery( "account", "INSERT INTO `accountlogins` (`account`, `address`, `serial`, `success`) VALUES (?,?,?,?)", account.account_id, getPlayerIP(client), getPlayerSerial(client), 0 )
	end

	-- if we reach this the login request failed

	-- NOTE
	-- We stick to a generic error message, even though this isn't super user friendly
	-- this prevents a hacker from finding out valid usernames by trying to log into them.
	outputChatBox( loc(client, "invalid_username_or_password"), client, 255, 128, 128 )
end		--[[ requestPlayerLogin ]]

Note that I'm saving passwords as a salted hash and also log any attempt to log into an account. The databaseQuery function is pretty much just a dbQuery and dbPoll packed together with some other small things.

Edited by 3aGl3
Link to comment

I know :Oing md5 and others i said i need check data using username and password i'm not talking about security help or don't help.now,get out of my post

if any person can hack my server i give passwords and usernames directly

Edited by Asokanta
Link to comment
5 hours ago, Asokanta said:

I know :Oing md5 and others i said i need check data using username and password i'm not talking about security help or don't help.now,get out of my post

if any person can hack my server i give passwords and usernames directly

Sure, I posted you a fully working login function as well as pointing out numerous things that could simplify your script.
If that doesn't help you maybe consider to let scripting go.

Also...my mobile phone can crack md5 within seconds, it's unsafe too.

Link to comment
6 minutes ago, 3aGl3 said:

Sure, I posted you a fully working login function as well as pointing out numerous things that could simplify your script.
If that doesn't help you maybe consider to let scripting go.

Also...my mobile phone can crack md5 within seconds, it's unsafe too.

That's why IPB is using the blowfish method.Combine the md5 encypted password and a random md5 encrypted security code you can choose and encrypt that then.Then you get the final result of it.If that's done then the code has to be the same on the mysql database.if yes then you login.

 

local SecurityCode = "SecurityIsNotGrantedWithoutThisStringBeingEncypted"
local password = "Blowfish" -- Currently just to have a password
function EncryptPassWord()
  local Licensepass = md5(md5(SecurityCode)..""..md5(password))
  outputDebugString("The password on the mysql database is :"..Licensepass.."")
end

Nobody will have a method to open this unless they got the SecurityCode.So Encrypt your files so they can't get the security code

Edited by Syntrax#
Link to comment

No, no, no, no md5 is insecure, period! MTA offers sha256 and you should use it.
I don't want to get to lengthy about it but you can read this if you want to get more info on password security. Or just google "how to password security" or something...just don't think it's a joke. User data is sensitive data, even more so if you save something like players mail addresses as well.

Link to comment
On 18-3-2017 at 13:09, 3aGl3 said:

No, no, no, no md5 is insecure, period! MTA offers sha256 and you should use it.
I don't want to get to lengthy about it but you can read this if you want to get more info on password security. Or just google "how to password security" or something...just don't think it's a joke. User data is sensitive data, even more so if you save something like players mail addresses as well.

Encrypted license key and encrypted password and then combining it is nearly impossible to crack.It will take around months in order to just crack one, and if the License key is around 30 numbers and characters then it's taking years to crack.(except if you have a NASA supercomputer at your service)

 

try to decrypt this to proof your point:

eb8b688620854ae06894ddd97baa219a

Edited by Syntrax#
Link to comment
1 hour ago, Syntrax# said:

Encrypted license key and encrypted password and then combining it is nearly impossible to crack.It will take around months in order to just crack one, and if the License key is around 30 numbers and characters then it's taking years to crack.(except if you have a NASA supercomputer at your service)

 

try to decrypt this to proof your point:

eb8b688620854ae06894ddd97baa219a

Given that I have no experience and/or interest in cracking hashes etc. and that I really don't want to argue this out I'll just say this:

Whatever. Have it your way.

That doesn't change the fact that md5 should be considered insecure and that choosing md5 for encrypting passwords is like choosing a lower quality product because of habit instead of a better one that would have the same price...

Link to comment

It's not like he is developing something for NASA, but still, he might as well choose the best option available. It's a known fact that MD5 is insecure because of the collisions. "A collision is when two different inputs create the same output. As a result, maybe both "hunter2" and "password" will work on my account. That's not normally a problem, as the chance of a collision is extremely rare, but when brute forcing is applied, collisions make it much easier to crack a valid password (it might not be the same password you used, but it'll work the same).". MD5 is much faster than sha256, making it even easier to hack by brute forcing. 

Source: https://www.reddit.com/r/explainlikeimfive/comments/1f869t/eli5_why_is_md5_considered_the_most_secure/

Link to comment
  • Moderators
On 16/03/2017 at 15:35, Asokanta said:

it saying login confirmed when i use command with arguments like username and password.

If you do it the same way in your original function but it always says "login error", my guess is that username and/or password values are not correct.

Did you try to print de value of those variables before calling dbQuery ? Are they correct ?

You can also try to log the queries with debugdb 2

Come back with the results of your tests.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...