kevinsmith23
asked on
vb.net md5 hash help
I am currently writing a messenger that will connect to a database and check login credentials against theirs as they signed up with. everything works great as long as i log into phpmysql and copy the md5 hash password and enter it in to login to the messenger. So my question is can some one help me to make it so say the users password is "password" they can type it in but either it encrypts it correctly or does some kind of comparison to make sure that they typed the correct password.. This way the users never see the md5 or have to memorize it or anything like such.
Thanks in advance.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you show the code that actually executes the query. The reason I ask is that I suspect you're not using parameters in the query, which would mean that what is actually being compared is MD5(NULL).
I'd suggest using something like this, assuming that you're using the MySql Connector.
I'd suggest using something like this, assuming that you're using the MySql Connector.
Dim StrSql As String = "SELECT * FROM `se_users` WHERE `user_email` = @email AND `user_password` = MD5(@password)"
Dim connString As String = "" '' Your connection string
Dim conn As New MySqlConnection(connString)
Dim comm As New MySqlCommand(StrSql, connString)
comm.Parameters.AddWithValue("email", "nobody@nothing.com")
comm.Parameters.AddWithValue("password", "mypassword")
'' Continue as normal
ASKER
ok here it is but I know I have horriable programming skills and need to use parameters which I am trying to change my ways lol here is the code.
Dim dr As MySqlDataReader
Dim cmd As MySqlCommand
Dim StrSql As String
Dim connStr As String = "Database=xxxxx_xxxxx;" & _
"Data Source=xxx.xxx.xxx.xxx;" & _
"User Id=xxxxx_xxxxx;Password=xxxxx"
Dim con As New MySqlConnection(connStr)
If txtUserName.Text.Trim() = "" Or txtPassword.Text.Trim() = "" Then
MsgBox("Please Enter User Name/Password...!")
Exit Sub
End If
Try
StrSql = "SELECT * FROM `se_users` WHERE `user_email`=" & txtUserName.Text.Trim() & "`user_password` = MD5(@password)"
cmd = New MySqlCommand(StrSql, con)
con.Open()
dr = cmd.ExecuteReader()
dr.Read()
If dr.HasRows = False Then
MsgBox("Invalid User Name and password...!", MsgBoxStyle.Critical)
dr.Close()
con.Close()
Exit Sub
End If
Catch ex As Exception
MsgBox("Login Failed...! Please Check the Server Details...!", MsgBoxStyle.Critical)
Exit Sub
End Try
If chkSavePassword.Checked = True Then
My.Settings.UserSavedPassword = txtPassword.Text
My.Settings.UserSavedUserName = txtUserName.Text.Trim()
Else
My.Settings.UserSavedPassword = String.Empty
My.Settings.UserSavedUserName = String.Empty
End If
CurrentUserID = dr("User_ID")
CurrentUserName = dr("user_username")
LoginStatus = True
dr.Close()
To be fair, there's nothing massively horrific in what you're doing, apart from not using parameters (which you're attempting to correct), and you're calling Trim() multiple times on the same string, rather than.
So, all you have to do is incorporate the code from my previous post, rather than using the values inlined sql commands. As I suspected, without @password being initialised, NULL is being hashed and compared.
Also, I doubt the query you've been using would actually execute as the email value doesn't appear to be in quotes.
Hopefully it should be obvious as to how my example should be incorporated into yours, especially as you're using the MySql Connector.
So, all you have to do is incorporate the code from my previous post, rather than using the values inlined sql commands. As I suspected, without @password being initialised, NULL is being hashed and compared.
Also, I doubt the query you've been using would actually execute as the email value doesn't appear to be in quotes.
Hopefully it should be obvious as to how my example should be incorporated into yours, especially as you're using the MySql Connector.
Oops, that paragraph should read:
... and you're calling Trim() multiple times on the same string, rather than using a single instance of the email & password strings, calling Trim only a single time. It won't affect performance, but it's a good habit to get into.
... and you're calling Trim() multiple times on the same string, rather than using a single instance of the email & password strings, calling Trim only a single time. It won't affect performance, but it's a good habit to get into.
ASKER
Gotcha thanks...
Now off to my trial and error lol as that pretty much all it has been geting my previous code to semi work lol now to restructure it oh boy lol
thanks.
Now off to my trial and error lol as that pretty much all it has been geting my previous code to semi work lol now to restructure it oh boy lol
thanks.
ASKER
To a editied version of what you showed me. However can you please tell me how the md5 of this works or if i need a encryption string if so all the md5 encryption strings I have found never match any of the hashed passes in phpmysql
Open in new window