Asokanta Posted March 16, 2017 Share Posted March 16, 2017 Hello guys,i'm making own login-register system using MySQL but i when i can't check username and password ; local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=?",username,password ) local result = dbPoll ( sorgu, -1 ) if result == 1 then I'm using this code for select data it but i can't get result for check (there is no console logs it's failing when i try the command) Link to comment
pa3ck Posted March 16, 2017 Share Posted March 16, 2017 Result is never going to be 1, it's either nil, false or a table. Try local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=? LIMIT 1",username,password ) local result = dbPoll ( sorgu, -1 ) if result and #result >= 1 then Link to comment
Asokanta Posted March 16, 2017 Author Share Posted March 16, 2017 it not worked i want check data if data exists in table it says login confirmed but if data isn't exist in table it need say login error. it saying login confirmed when i use command with arguments like username and password. Link to comment
pa3ck Posted March 16, 2017 Share Posted March 16, 2017 If #result is greater than 1 it means the username and password is correct, there is data in the table. Can you show me the full code where you say login is confirmed? Link to comment
Asokanta Posted March 16, 2017 Author Share Posted March 16, 2017 function sqlGiris ( player,command ,arg1 , arg2 , oyuncu) local command = "girisyap" local username = arg1 local password = arg2 if( command ) and (arg1 ~= "" and arg1 ~= nil and arg2 ~= "" and arg2 ~= nil) then local sorgu = dbQuery( userdata_db, "SELECT * FROM `database` WHERE `USERNAME`=? AND `PASSWORD`=? LIMIT 1",username,password ) local result = dbPoll ( sorgu, -1 ) if result and #result >= 1 then outputDebugString("Giris Basarili.")--Login Confirmed. else outputDebugString("Giris Basarisiz.")--Login Error. end end end addCommandHandler("girisyap",sqlGiris) when i try command with arguments it says always login confirmed Link to comment
Asokanta Posted March 16, 2017 Author Share Posted March 16, 2017 (edited) someone can help me pls ? Edited March 16, 2017 by Asokanta Link to comment
3aGl3 Posted March 16, 2017 Share Posted March 16, 2017 (edited) So, your login function looks super wrong to me, first of all the variables handed to the function are local variables, so local username = arg1 etc. is totally unnecessary. Secondly, when handling sensitive data like a usernames and passwords you should always take proper security measures. At this point I'm afraid of creating an account on any MTA server with a password other than 12345...it seems noone takes security serious. Saving usernames and passwords is no joke, if your database is hacked the hacker has all the players usernames and passwords as clear text. Many people use one password for pretty much everything, while that isn't something you can change you can at least try to put a little effort into securing your players data. A proper way to do this looks something like this: --[[ - Attempts to log the player into the given account - - @param <string> username: Username for the account - @param <string> password: Password for the account ]] function requestPlayerLogin( username, password ) if not username or not password or username == "" or password == "" then outputDebugString( "Function requestPlayerLogin called without an username or password.", 2 ) return end -- get the account from the database local result = databaseQuery( "account", "SELECT `account_id`, `name`, `password`, `online` FROM `accounts` WHERE `name`=?", username ) if result then -- grab the account data from the query result local account = result[1] -- get the salt from the password field and hash the password send by the client local salt = string.sub( account.password, 65 ) password = sha256( salt..password ) -- check if the hash and the database hash match if password == string.sub( account.password, 1, 64 ) then -- check the online state of the account if account.online == 1 then -- let the player know that his account is already logged in outputChatBox( string.format( loc(client, "your_account_is_already_logged_in"), get("website") ), client, 255, 128, 128 ) return else -- set the accounts online flag result = databaseQuery( "account", "UPDATE `accounts` SET `online`=1, `last_online`=CURRENT_TIMESTAMP WHERE (`account_id`='?')", account.account_id ) if result then outputDebugString( "Successfully logged player ".. getPlayerName(client) .." in." ) -- save the players account id playerAccount[client] = account.account_id playerAccountName[client] = account.name -- trigger the server and client login event triggerEvent( "onPlayerSQLLogin", resourceRoot, client, account_id ) triggerClientEvent( client, "onClientPlayerLogin", resourceRoot ) -- log a successfull login databaseQuery( "account", "INSERT INTO `accountlogins` (`account`, `address`, `serial`, `success`) VALUES (?,?,?,?)", account.account_id, getPlayerIP(client), getPlayerSerial(client), 1 ) return end end end -- log a failed login attempt databaseQuery( "account", "INSERT INTO `accountlogins` (`account`, `address`, `serial`, `success`) VALUES (?,?,?,?)", account.account_id, getPlayerIP(client), getPlayerSerial(client), 0 ) end -- if we reach this the login request failed -- NOTE -- We stick to a generic error message, even though this isn't super user friendly -- this prevents a hacker from finding out valid usernames by trying to log into them. outputChatBox( loc(client, "invalid_username_or_password"), client, 255, 128, 128 ) end --[[ requestPlayerLogin ]] Note that I'm saving passwords as a salted hash and also log any attempt to log into an account. The databaseQuery function is pretty much just a dbQuery and dbPoll packed together with some other small things. Edited March 16, 2017 by 3aGl3 Link to comment
Asokanta Posted March 18, 2017 Author Share Posted March 18, 2017 (edited) I know :Oing md5 and others i said i need check data using username and password i'm not talking about security help or don't help.now,get out of my post if any person can hack my server i give passwords and usernames directly Edited March 18, 2017 by Asokanta Link to comment
3aGl3 Posted March 18, 2017 Share Posted March 18, 2017 5 hours ago, Asokanta said: I know :Oing md5 and others i said i need check data using username and password i'm not talking about security help or don't help.now,get out of my post if any person can hack my server i give passwords and usernames directly Sure, I posted you a fully working login function as well as pointing out numerous things that could simplify your script. If that doesn't help you maybe consider to let scripting go. Also...my mobile phone can crack md5 within seconds, it's unsafe too. Link to comment
Syntrax# Posted March 18, 2017 Share Posted March 18, 2017 (edited) 6 minutes ago, 3aGl3 said: Sure, I posted you a fully working login function as well as pointing out numerous things that could simplify your script. If that doesn't help you maybe consider to let scripting go. Also...my mobile phone can crack md5 within seconds, it's unsafe too. That's why IPB is using the blowfish method.Combine the md5 encypted password and a random md5 encrypted security code you can choose and encrypt that then.Then you get the final result of it.If that's done then the code has to be the same on the mysql database.if yes then you login. local SecurityCode = "SecurityIsNotGrantedWithoutThisStringBeingEncypted" local password = "Blowfish" -- Currently just to have a password function EncryptPassWord() local Licensepass = md5(md5(SecurityCode)..""..md5(password)) outputDebugString("The password on the mysql database is :"..Licensepass.."") end Nobody will have a method to open this unless they got the SecurityCode.So Encrypt your files so they can't get the security code Edited March 18, 2017 by Syntrax# Link to comment
3aGl3 Posted March 18, 2017 Share Posted March 18, 2017 No, no, no, no md5 is insecure, period! MTA offers sha256 and you should use it. I don't want to get to lengthy about it but you can read this if you want to get more info on password security. Or just google "how to password security" or something...just don't think it's a joke. User data is sensitive data, even more so if you save something like players mail addresses as well. Link to comment
Syntrax# Posted March 21, 2017 Share Posted March 21, 2017 (edited) On 18-3-2017 at 13:09, 3aGl3 said: No, no, no, no md5 is insecure, period! MTA offers sha256 and you should use it. I don't want to get to lengthy about it but you can read this if you want to get more info on password security. Or just google "how to password security" or something...just don't think it's a joke. User data is sensitive data, even more so if you save something like players mail addresses as well. Encrypted license key and encrypted password and then combining it is nearly impossible to crack.It will take around months in order to just crack one, and if the License key is around 30 numbers and characters then it's taking years to crack.(except if you have a NASA supercomputer at your service) try to decrypt this to proof your point: eb8b688620854ae06894ddd97baa219a Edited March 21, 2017 by Syntrax# Link to comment
3aGl3 Posted March 21, 2017 Share Posted March 21, 2017 1 hour ago, Syntrax# said: Encrypted license key and encrypted password and then combining it is nearly impossible to crack.It will take around months in order to just crack one, and if the License key is around 30 numbers and characters then it's taking years to crack.(except if you have a NASA supercomputer at your service) try to decrypt this to proof your point: eb8b688620854ae06894ddd97baa219a Given that I have no experience and/or interest in cracking hashes etc. and that I really don't want to argue this out I'll just say this: Whatever. Have it your way. That doesn't change the fact that md5 should be considered insecure and that choosing md5 for encrypting passwords is like choosing a lower quality product because of habit instead of a better one that would have the same price... Link to comment
pa3ck Posted March 21, 2017 Share Posted March 21, 2017 It's not like he is developing something for NASA, but still, he might as well choose the best option available. It's a known fact that MD5 is insecure because of the collisions. "A collision is when two different inputs create the same output. As a result, maybe both "hunter2" and "password" will work on my account. That's not normally a problem, as the chance of a collision is extremely rare, but when brute forcing is applied, collisions make it much easier to crack a valid password (it might not be the same password you used, but it'll work the same).". MD5 is much faster than sha256, making it even easier to hack by brute forcing. Source: https://www.reddit.com/r/explainlikeimfive/comments/1f869t/eli5_why_is_md5_considered_the_most_secure/ Link to comment
Moderators Citizen Posted March 22, 2017 Moderators Share Posted March 22, 2017 On 16/03/2017 at 15:35, Asokanta said: it saying login confirmed when i use command with arguments like username and password. If you do it the same way in your original function but it always says "login error", my guess is that username and/or password values are not correct. Did you try to print de value of those variables before calling dbQuery ? Are they correct ? You can also try to log the queries with debugdb 2 Come back with the results of your tests. Link to comment
Asokanta Posted March 25, 2017 Author Share Posted March 25, 2017 dude i have a database with datas i used print into them and i need check "username" and "password" md5 or sha256 isn't important now for me Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now