vb.net md5 hash help

I am currently writing a messenger that will connect to a database and check login credentials against theirs as they signed up with. everything works great as long as i log into phpmysql and copy the md5 hash password and enter it in to login to the messenger. So my question is can some one help me to make it so say the users password is "password" they can type it in but either it encrypts it correctly or does some kind of comparison to make sure that they typed the correct password.. This way the users never see the md5 or have to memorize it or anything like such.

Thanks in advance.
kevinsmith23Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oobaylyCommented:
The easiest way would be to compare the password on the server in the MySql query. Personally, I'd change two things, first use SHA, rather than MD5. Also use a salt, this way two identical password will have different hashes. The client never knows what the salt is.
I tend to use 4 random bytes as a salt, and store it in a BINARY field, however you could simply use a few ASCII chars for simplicity

Both queries assume you add username & password parameters to the command.
SELECT `username`, `status` FROM `users`
WHERE `username` = @username AND `password` = MD5(@password)
 
# With SHA & a Salt, assuming it's stored in a field called salt
SELECT `username`, `status` FROM `users`
WHERE `username` = @username AND `password` = SHA(CONCAT(`salt`, @password))

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevinsmith23Author Commented:
So I have changed what I had
To a editied version of what you showed me. However can you please tell me how the md5 of this works or if i need a encryption string if so all the md5 encryption strings I have found never match any of the  hashed passes in phpmysql


//My old line
StrSql = "Select * From se_users Where user_email='" & txtUserName.Text.Trim() & "' And user_password='" & txtPassword.Text & "'"
 
//Your like I edited
StrSql = "SELECT * FROM `se_users` WHERE `user_email`=" & txtUserName.Text.Trim() & "`user_password` = MD5(@password)"

Open in new window

0
oobaylyCommented:
Can you show the code that actually executes the query. The reason I ask is that I suspect you're not using parameters in the query, which would mean that what is actually being compared is MD5(NULL).

I'd suggest using something like this, assuming that you're using the MySql Connector.
Dim StrSql As String = "SELECT * FROM `se_users` WHERE `user_email` = @email AND `user_password` = MD5(@password)"
Dim connString As String = "" '' Your connection string
 
Dim conn As New MySqlConnection(connString)
 
Dim comm As New MySqlCommand(StrSql, connString)
comm.Parameters.AddWithValue("email", "nobody@nothing.com")
comm.Parameters.AddWithValue("password", "mypassword")
 
'' Continue as normal

Open in new window

0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

kevinsmith23Author Commented:
ok here it is but I know I have horriable programming skills and need to use parameters which I am trying to change my ways lol here is the code.


 Dim dr As MySqlDataReader
        Dim cmd As MySqlCommand
        Dim StrSql As String
        Dim connStr As String = "Database=xxxxx_xxxxx;" & _
        "Data Source=xxx.xxx.xxx.xxx;" & _
        "User Id=xxxxx_xxxxx;Password=xxxxx"
        Dim con As New MySqlConnection(connStr)
 
        If txtUserName.Text.Trim() = "" Or txtPassword.Text.Trim() = "" Then
            MsgBox("Please Enter User Name/Password...!")
            Exit Sub
        End If
        Try
            StrSql = "SELECT * FROM `se_users` WHERE `user_email`=" & txtUserName.Text.Trim() & "`user_password` = MD5(@password)"
            cmd = New MySqlCommand(StrSql, con)
            con.Open()
            dr = cmd.ExecuteReader()
            dr.Read()
            If dr.HasRows = False Then
                MsgBox("Invalid User Name and password...!", MsgBoxStyle.Critical)
                dr.Close()
                con.Close()
                Exit Sub
            End If
        Catch ex As Exception
            MsgBox("Login Failed...! Please Check the Server Details...!", MsgBoxStyle.Critical)
            Exit Sub
        End Try
 
        If chkSavePassword.Checked = True Then
            My.Settings.UserSavedPassword = txtPassword.Text
            My.Settings.UserSavedUserName = txtUserName.Text.Trim()
        Else
            My.Settings.UserSavedPassword = String.Empty
            My.Settings.UserSavedUserName = String.Empty
        End If
        CurrentUserID = dr("User_ID")
        CurrentUserName = dr("user_username")
        LoginStatus = True
        dr.Close()

Open in new window

0
oobaylyCommented:
To be fair, there's nothing massively horrific in what you're doing, apart from not using parameters (which you're attempting to correct), and you're calling Trim() multiple times on the same string, rather than.

So, all you have to do is incorporate the code from my previous post, rather than using the values inlined sql commands. As I suspected, without @password being initialised, NULL is being hashed and compared.
Also, I doubt the query you've been using would actually execute as the email value doesn't appear to be in quotes.

Hopefully it should be obvious as to how my example should be incorporated into yours, especially as you're using the MySql Connector.
0
oobaylyCommented:
Oops, that paragraph should read:
... and you're calling Trim() multiple times on the same string, rather than using a single instance of the email & password strings, calling Trim only a single time. It won't affect performance, but it's a good habit to get into.
0
kevinsmith23Author Commented:
Gotcha thanks...

Now off to my trial and error lol as that pretty much all it has been geting my previous code to semi work lol now to restructure it oh boy lol

thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.