AriusII Posted March 25, 2019 Share Posted March 25, 2019 Hello everyone  ! I'm doing a little project for this community, having a WebSite for your own game server ! This CMS use my own base code for other CMS game website and work like a charm, I just edit it for make working with Intersect / MySQL ( And maybe SQLite too if i'm motivate to do sqlite jdbc connection ).But I'm a bit frustate about something.., I have a problem about my login form ( B-E code ) exactly about hashing password result., If my password in clear is : Dragon123 and my Salt is : 357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 It's making the hash form like this = Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 Right ? My Password collumn saying me, the result it's : 7DE02F71146E0BA0B33BFB7BBA8C99A258DEEF71FD83C401F5CD240C2A1F8352 I have try to go here : https://passwordsgenerator.net/sha256-hash-generator/ and do my clear password + Salt. ( cf : Dragon123357EF1FF2A9A5EAF893CBCE985FE667ACB1547669761E7CDBD0483DC43E0C188 ) and getting an other hash : 309407CFBF0798BB31795E88384B4482F2A296C54CA1FEB8AD52A7AFCA5B0CCA You can try it .. and you can see it's not the same result / hashing. So here it's my first problem and after read the docs by @jcsnider ( https://www.freemmorpgmaker.com/docs/en/Advanced_Topics/Database.html ) No doubt about the password encryption ... it's in PHP/PDO. Here it's my page about the connection (asking if value are correct and be able to logon the site):  Spoiler <?PHP   if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) {   if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass']))   {      $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email                     FROM  users                     WHERE  Name = :name');  // I PREPARE MY SELECT FOR THE SQL COMMAND ' :name ' is my pdo var for the execute command more security reason.       $stmt->execute(['name' => $_POST['userid']]);       $stmt_r = $stmt->rowCount(); // Getting the row of the select if something match ?       $fetch = $stmt->fetch(); // Get all value storage in memory/cache       $hash = hash('sha256', $_POST['userpass'].$fetch['Salt']); // Try to hash my clear password ( enter in the web textbox with my Salt ( we get the salt with my fetch ) we correctly hashing it in SHA256.       if ($hash === $fetch['Password']) // We do the comparasion about my recent hash and the stored password hash stored in database       {          echo 'Work!!!!'; // Tryed to look if connected ... // Connecté          if($stmt_r>0) //get my value if the connection is good ( having a matching value )          {          $getAdmin = $stmt->FetchObject(); // Start a Session for other settings ...          $_SESSION['user_id'] = $getAdmin->Id;          $_SESSION['user_name'] = $getAdmin->Name;          $_SESSION['user_admin'] = $getAdmin->Web_Admin;        $_SESSION['user_email'] = $getAdmin->Email;        $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$getAdmin->Id."'");          }       }   } } And as you could see, I do the same procedure... but not working, someone know why ..? - Arius Link to comment Share on other sites More sharing options...
jcsnider Posted March 25, 2019 Share Posted March 25, 2019 The pass field in the database uses a hashed pass and not a plain text pass. SHA256 (Hashed Pass + Salt) Â As for getting PHPs hashing to work exactly like C#s I don't have a perfect answer of the top of my head at this moment.. I'll play with this some and follow up soon. Â AriusII 1 Link to comment Share on other sites More sharing options...
AriusII Posted March 25, 2019 Author Share Posted March 25, 2019 Ohhhh ! Ok thanks ! Sorry ! I was thinked it's plain text pass + Salt, but you do two convertion. Sha256 + PlainText = hash1 Hash1+Salt = hash2 = Password. It's done  ! Sweet Candy 1 Link to comment Share on other sites More sharing options...
jcsnider Posted March 25, 2019 Share Posted March 25, 2019 You got it to work? Link to comment Share on other sites More sharing options...
AriusII Posted March 25, 2019 Author Share Posted March 25, 2019 Yeah it's working ... just needed to do some convertions :  Spoiler <?PHP   if(isset($_POST['submit']) && ($_POST['submit']=="login" || $_POST['submit']=="LOGIN" || $_POST['submit']=="Login")) {   if(!empty($_POST['userid']) && !empty($_POST['userpass']) && checkAnum($_POST['userid']) && checkAnum($_POST['userpass']))   {      $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Salt,Password,Email,Web_Admin                     FROM  users                     WHERE  Name = :name');       $stmt->execute(['name' => $_POST['userid']]);       $fetch = $stmt->FetchObject();       $hash1 = hash('sha256', $_POST['userpass']);       $hash = hash('sha256', strtoupper($hash1).$fetch->Salt);       $stmt_r = $stmt->rowCount();       if (strtoupper($hash) == $fetch->Password)       {          if($stmt_r>0)          {          $_SESSION['user_id'] = $fetch->Id;          $_SESSION['user_name'] = $fetch->Name;          $_SESSION['user_admin'] = $fetch->Web_Admin;        $_SESSION['user_email'] = $fetch->Email;        $updateIP = $SQL_PLAYER->query("UPDATE users SET Web_Ip='".($_SERVER['REMOTE_ADDR'])."' WHERE Id='".$fetch->Id."'");          }       }   } }  if(empty($_SESSION['user_id']))  {   unset($_SESSION['user_id']);   unset($_SESSION['user_name']);   unset($_SESSION['user_admin']);   unset($_SESSION['user_email']);  }  else {   $stmt = $SQL_PLAYER->prepare('SELECT Id,Name,Password,Salt,Email,Web_Admin                FROM  users                WHERE Web_Ip = :ip                AND Id = :id');   $stmt->execute(['ip' => $_SERVER['REMOTE_ADDR'],'id' => $_SESSION['user_id']]);   $stmt_r = $stmt->rowCount();   if($stmt_r>0)    {    $getAdmin = $stmt->FetchObject();    $_SESSION['user_id'] = $getAdmin->Id;    $_SESSION['user_name'] = $getAdmin->Name;    $_SESSION['user_admin'] = $getAdmin->Web_Admin;    $_SESSION['user_email'] = $getAdmin->Email;   }    else    {       unset($_SESSION['user_id']);       unset($_SESSION['user_name']);       unset($_SESSION['user_admin']);       unset($_SESSION['user_email']);    }  } Here it is a gif for making the exemple.https://i.imgur.com/JQasyyF.gifv Sweet Candy, Xeno, Worldofjimmy and 1 other 4 Link to comment Share on other sites More sharing options...
AriusII Posted March 26, 2019 Author Share Posted March 26, 2019 #Request Close / Delete Thread ? Reason : I would like to do a correct thread about this; More Organised. Worldofjimmy 1 Link to comment Share on other sites More sharing options...
Recommended Posts