Where is login details in MySQL database?

General Xbox Gaming · August 28, 2014, 09:47:07 PM

I'm trying to setup a login return .php file that can get the SHA1 Salt entry for a user from the MySQL database do download as a String in my C# application and compare it to the users entry for username and password after it has been throw SHA1 Salt in my application to compare and login if the to strings match.

I need either a .php script to return the SHA1 Salted information compared to username or the location in the MySQL database.

Thanks.

Ninja ZX-10RR · August 28, 2014, 09:50:38 PM

I had the same problem dude

http://www.simplemachines.org/community/index.php?topic=520741.0 this might help you. If you have a bit of knowledge in C# you will be able to call it and use it successfully.
By the way this is the wrong section

General Xbox Gaming · August 28, 2014, 09:57:31 PM

I forgot to ask: how do you see what usergroup they are in from a username?

Edit: your topic doesn't have the solution I was looking for.
How do you get the information from the MySQL database? (Where is it all located)

Ninja ZX-10RR · August 28, 2014, 10:21:37 PM

Dude just look at the columns names :/ username is "member_name" and password is "passwd", you will have to call those 2 ones from the table smf_members

Quote from: General Xbox Gaming on August 28, 2014, 09:57:31 PM
I forgot to ask: how do you see what usergroup they are in from a username?

There is also the column "id_group"

General Xbox Gaming · August 28, 2014, 11:10:53 PM

I found it, smf_forummembers

How do you look for a persons username and password salt? I can't search the database externally yet and have no clue how I look at it to compare credential. I'm a absolute beginner with MySQL.

Arantor · August 28, 2014, 11:36:22 PM

You do *NOT* connect the forum database to the raw unfiltered internet. That's absolutely asking to be hacked.

Ninja ZX-10RR · August 29, 2014, 12:03:52 AM

Not if you allow an external program in C# to be the only thing that can access it. Basically that's what online games do.
As regards how to look for them I think that you should do that in C#, as it was my colleague to do the final part I can't go into details, I just know that he made it after much swearing and days spent on tutorials and bugging me with "upload this upload that delete this do that etc" xD I'll update you later on if I can reach him since he is being quite much offline, I'll bug him on Whatsapp.
I'll let you know

General Xbox Gaming · August 29, 2014, 06:33:08 PM

Quote from: ♦ Ninja ZX-10RR ♦ on August 29, 2014, 12:03:52 AM
Not if you allow an external program in C# to be the only thing that can access it. Basically that's what online games do.
As regards how to look for them I think that you should do that in C#, as it was my colleague to do the final part I can't go into details, I just know that he made it after much swearing and days spent on tutorials and bugging me with "upload this upload that delete this do that etc" xD I'll update you later on if I can reach him since he is being quite much offline, I'll bug him on Whatsapp.
I'll let you know

Thank you. Can you provide the function on how to SHA1 Salt the Password please the example I found on here don't work for some reason.

i.e. this...

Code Select

public static string HashCode(string str)
{
    System.Text.ASCIIEncoding encoder = new System.Text.ASCIIEncoding();
    byte[] buffer = encoder.GetBytes(str);
    SHA1CryptoServiceProvider cryptoTransformSHA1 = new SHA1CryptoServiceProvider();
    string hash = BitConverter.ToString(cryptoTransformSHA1.ComputeHash(buffer)).Replace("-", "");

    return hash;
}

This works 100%

Code Select

public static string CalculateSHA1(string text, Encoding enc)
{
    byte[] buffer = enc.GetBytes(text);
    SHA1CryptoServiceProvider cryptoTransformSHA1 = new SHA1CryptoServiceProvider();
    string hash = BitConverter.ToString(cryptoTransformSHA1.ComputeHash(buffer)).Replace("-", "");
            
    return hash;
}

private void bSalt_Click(object sender, EventArgs e)
{
    tBresult.Text = CalculateSHA1(tBusername.Text.ToLower() + tBpass.Text, ASCIIEncoding.ASCII).ToLower();            
}

I worked it out in the end.

Ninja ZX-10RR · August 29, 2014, 07:27:34 PM

Awesome

be careful though because if you don't do it well you can get hacked really easily as "♥" pointed out

Anyway if you sorted it out please mark the topic as solved by pressing the button in the left bottom of the page so that the team won't spend time on it

Kindred · August 29, 2014, 07:29:50 PM

just FYI... the table is USUALLY called smf_members, not smf_forummembers

Ninja ZX-10RR · August 29, 2014, 07:35:50 PM

Quote from: ♦ Ninja ZX-10RR ♦ on August 28, 2014, 10:21:37 PM
you will have to call those 2 ones from the table smf_members

Indeed I said that

I believe that his was a typo or distraction or something like that as if he found it it must have been the correct table lol

General Xbox Gaming · August 29, 2014, 08:55:45 PM

Well I have this but it always returns: "true"

Code Select


  <?php
  
  // Grab User submitted information
  $user = $_POST["user"];
  $pass = $_POST["pass"];
  
  // Connect to the database
  $con = mysql_connect("localhost","db_forum","<password>");
  // Make sure we connected succesfully
 if(! $con)
 {
     die('Connection Failed'.mysql_error());
 }
 
 // Select the database to use
 mysql_select_db("db_forum",$con);
 
 $result = mysql_query("SELECT member_name, passwd FROM smf_forummembers WHERE member_name = $user");
 
 $row = mysql_fetch_array($result);
 
 if($row["member_name"]==$user && $row["passwd"]==$pass)
     echo"true";
 else
     echo"false";
 ?>

General Xbox Gaming · August 29, 2014, 09:11:51 PM

Quote from: ♦ Ninja ZX-10RR ♦ on August 29, 2014, 07:35:50 PM
Quote from: ♦ Ninja ZX-10RR ♦ on August 28, 2014, 10:21:37 PM
you will have to call those 2 ones from the table smf_members
Indeed I said that I believe that his was a typo or distraction or something like that as if he found it it must have been the correct table lol

It's because the database is called db_forum it's named smf_forummembers.

Kindred · August 29, 2014, 09:26:37 PM

Just out of curiosity, why are you not using the smf db function?

The function you are using does not clean the input and thus is potentially insecure.

Arantor · August 29, 2014, 09:31:29 PM

Sending the password in SHA1 yourself is probably a bad idea. It doesn't give you any protection whatsoever. Use SSL for that and be done with it.

Your query also has also a very blatant SQL injection and may even get some usernames wrong. It's not 'potentially' insecure, it IS insecure.

I need to finish stuff first then I'll write you a proper one.

Ninja ZX-10RR · August 29, 2014, 09:51:35 PM

Mine is this one:

Code Select


<?php

include 'conf/connection.php';

$username = $_POST['member_name'];
$password = $_POST['passwd'];
$sha1pass = sha1(strtolower($username) . $password);

if($username != "" || $sha1pass != "")
	{
		$sql = "SELECT member_name, passwd FROM smf_members WHERE member_name = '".$username."' AND passwd = '".$sha1pass."'";
		$query = mysql_query($sql);
		$ar = mysql_fetch_array($query);
		
		if($username == $ar['member_name'] && $sha1pass == $ar['passwd'])
		{
			echo $ar['id_member'];
		}
		else
		{
			echo "error";
		}
	}
	
else
{
	echo "errorEmpty";
}

?>

Arantor · August 29, 2014, 09:59:10 PM

Also insecure for the same reason. And has the same bug with respect to improper handling of usernames.

Not to mention mysql_fetch_array is the wrong thing to use on top of that too (should be mysql_fetch_assoc in that situation)

Oh and your routine won't work properly since you only select member_name and passwd from smf_members, and then expect it to have an id_member attribute that wasn't selected from the database.

Not to mention the fact that you're giving miscreants a nice cheap way to brute-force accounts since you're also not using SMF's spamProtection() routine as a flood controller.

Ninja ZX-10RR · August 29, 2014, 10:13:06 PM

It is used to login in a game so you can't really spam there I think.... While the id? Couldn't care less lol I need to login that's it, the id is not necessary as the game can associate the user with the username only to login.
About the security... Well it's my colleague who coded that thing but he doesn't have the same experience that you have

if you can do it better for both of us then I think that I can talk for General Xbox Gaming as well and tell you that we would appreciate it very much. >_<

Arantor · August 29, 2014, 10:16:42 PM

QuoteIt is used to login in a game so you can't really spam there I think....

Of course it can. It's publically accessible on the internet.

QuoteWhile the id? Couldn't care less lol I need to login that's it, the id is not necessary as the game can associate the user with the username only to login.

Considering that your script outputs the id, it would kind of be useful to get that in the query in the first place.

QuoteAbout the security... Well it's my colleague who coded that thing but he doesn't have the same experience that you have

Preventing SQL injections is pretty much basic practice for any web development.

I will look at it once I have my other stuff done.

General Xbox Gaming · August 29, 2014, 10:25:36 PM

Quote from: ♥ on August 29, 2014, 09:31:29 PM
Sending the password in SHA1 yourself is probably a bad idea. It doesn't give you any protection whatsoever. Use SSL for that and be done with it.

Your query also has also a very blatant SQL injection and may even get some usernames wrong. It's not 'potentially' insecure, it IS insecure.

I need to finish stuff first then I'll write you a proper one.

Thank you so much.

News:

Where is login details in MySQL database?