Link to home
Start Free TrialLog in
Avatar of kevinsmith23
kevinsmith23

asked on

vb.net md5 hash help

I am currently writing a messenger that will connect to a database and check login credentials against theirs as they signed up with. everything works great as long as i log into phpmysql and copy the md5 hash password and enter it in to login to the messenger. So my question is can some one help me to make it so say the users password is "password" they can type it in but either it encrypts it correctly or does some kind of comparison to make sure that they typed the correct password.. This way the users never see the md5 or have to memorize it or anything like such.

Thanks in advance.
ASKER CERTIFIED SOLUTION
Avatar of oobayly
oobayly
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kevinsmith23
kevinsmith23

ASKER

So I have changed what I had
To a editied version of what you showed me. However can you please tell me how the md5 of this works or if i need a encryption string if so all the md5 encryption strings I have found never match any of the  hashed passes in phpmysql


//My old line
StrSql = "Select * From se_users Where user_email='" & txtUserName.Text.Trim() & "' And user_password='" & txtPassword.Text & "'"
 
//Your like I edited
StrSql = "SELECT * FROM `se_users` WHERE `user_email`=" & txtUserName.Text.Trim() & "`user_password` = MD5(@password)"

Open in new window

Avatar of oobayly
oobayly
Flag of United Kingdom of Great Britain and Northern Ireland image
Can you show the code that actually executes the query. The reason I ask is that I suspect you're not using parameters in the query, which would mean that what is actually being compared is MD5(NULL).

I'd suggest using something like this, assuming that you're using the MySql Connector.
Dim StrSql As String = "SELECT * FROM `se_users` WHERE `user_email` = @email AND `user_password` = MD5(@password)"
Dim connString As String = "" '' Your connection string
 
Dim conn As New MySqlConnection(connString)
 
Dim comm As New MySqlCommand(StrSql, connString)
comm.Parameters.AddWithValue("email", "nobody@nothing.com")
comm.Parameters.AddWithValue("password", "mypassword")
 
'' Continue as normal

Open in new window

Avatar of kevinsmith23
kevinsmith23

ASKER

ok here it is but I know I have horriable programming skills and need to use parameters which I am trying to change my ways lol here is the code.


 Dim dr As MySqlDataReader
        Dim cmd As MySqlCommand
        Dim StrSql As String
        Dim connStr As String = "Database=xxxxx_xxxxx;" & _
        "Data Source=xxx.xxx.xxx.xxx;" & _
        "User Id=xxxxx_xxxxx;Password=xxxxx"
        Dim con As New MySqlConnection(connStr)
 
        If txtUserName.Text.Trim() = "" Or txtPassword.Text.Trim() = "" Then
            MsgBox("Please Enter User Name/Password...!")
            Exit Sub
        End If
        Try
            StrSql = "SELECT * FROM `se_users` WHERE `user_email`=" & txtUserName.Text.Trim() & "`user_password` = MD5(@password)"
            cmd = New MySqlCommand(StrSql, con)
            con.Open()
            dr = cmd.ExecuteReader()
            dr.Read()
            If dr.HasRows = False Then
                MsgBox("Invalid User Name and password...!", MsgBoxStyle.Critical)
                dr.Close()
                con.Close()
                Exit Sub
            End If
        Catch ex As Exception
            MsgBox("Login Failed...! Please Check the Server Details...!", MsgBoxStyle.Critical)
            Exit Sub
        End Try
 
        If chkSavePassword.Checked = True Then
            My.Settings.UserSavedPassword = txtPassword.Text
            My.Settings.UserSavedUserName = txtUserName.Text.Trim()
        Else
            My.Settings.UserSavedPassword = String.Empty
            My.Settings.UserSavedUserName = String.Empty
        End If
        CurrentUserID = dr("User_ID")
        CurrentUserName = dr("user_username")
        LoginStatus = True
        dr.Close()

Open in new window

Avatar of oobayly
oobayly
Flag of United Kingdom of Great Britain and Northern Ireland image
To be fair, there's nothing massively horrific in what you're doing, apart from not using parameters (which you're attempting to correct), and you're calling Trim() multiple times on the same string, rather than.

So, all you have to do is incorporate the code from my previous post, rather than using the values inlined sql commands. As I suspected, without @password being initialised, NULL is being hashed and compared.
Also, I doubt the query you've been using would actually execute as the email value doesn't appear to be in quotes.

Hopefully it should be obvious as to how my example should be incorporated into yours, especially as you're using the MySql Connector.
Avatar of oobayly
oobayly
Flag of United Kingdom of Great Britain and Northern Ireland image
Oops, that paragraph should read:
... and you're calling Trim() multiple times on the same string, rather than using a single instance of the email & password strings, calling Trim only a single time. It won't affect performance, but it's a good habit to get into.
Avatar of kevinsmith23
kevinsmith23

ASKER

Gotcha thanks...

Now off to my trial and error lol as that pretty much all it has been geting my previous code to semi work lol now to restructure it oh boy lol

thanks.