1

I'm using a MySQL database with my program and when I check if the password a user enters is correct, it always says it's invalid. I do the same with email but it works. I think it's because my PHP script encrypts the password when it's created on the page. Here is my code:

        try
        {
            string command = "SELECT email FROM uc_users WHERE email = '@email';";
            string command2 = "SELECT password FROM uc_users WHERE password = '@password';";
            // CONNECTION DETAILS
            connection = new MySqlConnection(connectionString);
            connection.Open();

            // COMMAND DETAILS
            MySqlCommand email = new MySqlCommand(command, connection);
            MySqlCommand passwordc = new MySqlCommand(command2, connection);

            // PARAMETERS
            email.Parameters.AddWithValue("@email", txtEmail.Text);
            passwordc.Parameters.AddWithValue("@password", txtPassword.Text);

            // READER DETAILS
            MySqlDataReader dr;
            MySqlDataReader dr2;

            // CHECK DETAILS               
            dr = email.ExecuteReader();
            string tempE = dr.Read() ? dr.GetString(0) : "Invalid Email";
            dr.Close();
            dr2 = passwordc.ExecuteReader();
            string tempP = dr2.Read() ? dr.GetString(0) : "Invalid Password";
            dr2.Close();
            MessageBox.Show(tempE + " " + tempP);
            if (tempE == txtEmail.Text && tempP == txtPassword.Text)
            {
                connection.Close();
                tempE = "";
                tempP = "";
                string email2 = txtEmail.Text;
                frmAppHub frm = new frmAppHub(email2);
                frm.Show();
                this.Hide();
            }
            else
            {
                MessageBox.Show("Invalid login details. Please try again.");
                connection.Close();
                tempE = "";
                tempP = "";
            }
        }
        catch(MySqlException ex)
        {
            MessageBox.Show("MySQL Error - Code AHx004: " +ex.Message);
            connection.Close();
        }

Any ideas how to do it? Any help is appreciated.

Improve this question
2
  • There is no way to answer this without knowing how the password was originally stored. It [hopefully] wasn't stored as plain-text. Then: What kind of hash or one-way cipher was used? Is salt used and, if so, how was it combined? Was a HMAC or other server secret also employed? (Normally PHP's crypt output will reveal some of this information - so see what is actually in the password field.) Commented Dec 10, 2013 at 20:28
  • I used this salt gen -> if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, 25); } else { $salt = substr($salt, 0, 25); } Commented Dec 10, 2013 at 20:35

2 Answers 2

Reset to default
3

The query is fundamentally broken. There should be one query and the approach should be like:

// No quotes around placeholder and only ONE query that does NOT select on the password.
// If the query selects on the password then it means that the password is either
// stored as plaitext (which is not good) or the database value can be computed without
// per-user information (which is also not good).
string command = "SELECT email, password FROM uc_users WHERE email = @email";

// Only look based on the user (the email column should have a Unique constraint)
// as (although a unique salt makes it very unlikely) passwords are not unique
// nor do they identify users.
email.Parameters.AddWithValue("@email", txtEmail.Text);

// Then read the password for the given user
dr = email.ExecuteReader();
if (!dr.Read()) {
  // User not found - just stop.
  return false;
}
string dbPassword = dr.GetString(1);

return IsPasswordMatch(dbPassword, txtPassword.Text);

Now, IsPasswordMatch is a function which, when, given the database password and the plain-text password, should determine if they are a match by applying all the appropriate hash/salt/whatever transforms (see my first comment). In any case, all the logic can be safely tucked away in there.

It might look something like:

bool IsPasswordMatch (string dbPassword, string plaintext) {
    var salt = GetSalt(dbPassword);
    var dbHash = GetHash(dbPassword);
    var ptHash = Hash(salt + plaintext);
    return dbHash == ptHash;
}

I've left in the methods as "high level operations" that need to be adapted to whatever was used in the first place; however, the basic operation should now be apparent. Just repeat the same process as was used to create the database value in the first place - is it the same in both cases?

Make sure to read up on using as well - this will enable resources to be cleaned up easily without fuss.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Got it to work like this, just have to add all my new salt and hash methods. Thanks!
@PROZILENTEXX I would also recommend switching the hash function to bcrypt/scrypt when you have a chance. Anyway, glad it works.
0

Yes, you need to generate hash of your password, that must be identical stored in database and than query your command with this hash, instead of plain text password.

If you have different strings in DB and @passowrd - you always have invalid result.

Improve this answer

5 Comments

I've tried it, but can't find any way of using the exact same hash in C#. Any ideas how to do it?
You have only one possible method: find or create this method to have identical hash. In other case - you need to ask users to change they passwords with algorytm, that you can use in your situation.
Ok, is there any way to use PHP code from C#. If not, would that mean a full redo of the hashing?
you can use external calling. For example C# variant of file_get_contents() PHP function. You can provide username and password to this script and return "true" or "false" from the php script and use it like a flag, that client enter a good pair.
devprise.com/2006/07/14/c-method-to-mimic-php-file_get_contents look here, for example.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.