0

I have two forms, a signup form and a login form, my signup form stores the users entered password into the database using MD5 which works, however when I go to login with the same user and password it fails to login, I believe it may be comparing my plaintext password with my hashed password, therefore throwing the wrong message. Here is my signup form code:

Imports MySql.Data.MySqlClient
Imports System.Security.Cryptography
Imports System.Text


Public Class frmSignup
Dim ServerString As String = "Server=localhost;User Id=root;Password=;Database=accountinfo"
Dim SQLConnection As MySqlConnection = New MySqlConnection

Private Sub Form3_Load(sender As Object, e As EventArgs) Handles MyBase.Load
    SQLConnection.ConnectionString = ServerString

    Try
        If SQLConnection.State = ConnectionState.Closed Then
            SQLConnection.Open()
            MsgBox("Successfully connected to DB")

        Else
            SQLConnection.Close()
            MsgBox("Failed to connect to DB")
        End If
    Catch ex As Exception
        MsgBox(ex.ToString)

    End Try
End Sub

Public Sub SaveAccountInformation(ByRef SQLStatement As String)
    Dim cmd As MySqlCommand = New MySqlCommand

    With cmd
        .CommandText = SQLStatement
        .CommandType = CommandType.Text
        .Connection = SQLConnection
        .ExecuteNonQuery()
    End With
    SQLConnection.Close()
    SQLConnection.Dispose()
End Sub

Private Sub btnSignup_Click(sender As Object, e As EventArgs) Handles btnSignup.Click
    If txtPasswd.Text = txtPasswd2.Text Then
        MessageBox.Show("Passwords Match!")

        Dim HashedPass As String = ""

        'Converts the Password into bytes, computes the hash of those bytes, and then converts them into a Base64 string

        Using MD5hash As MD5 = MD5.Create()

            HashedPass = System.Convert.ToBase64String(MD5hash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(txtPasswd.Text)))

        End Using


        Dim SQLStatement As String = "INSERT INTO accountinfodb(`Usernames`, `Passwords`) VALUES ('" & txtUsername.Text & "','" & HashedPass & "')"
        SaveAccountInformation(SQLStatement)



        MessageBox.Show("Account Successfully Registered")
        frmLogin.Show()
        frmLoginScreen.Hide()
    Else
        MessageBox.Show("Passwords Do Not Match!")
        txtPasswd.Text = Focus()
        txtPasswd.Clear()
        txtPasswd2.Text = Focus()
        txtPasswd2.Clear()

    End If
End Sub

And here is my Login form

Imports MySql.Data.MySqlClient Imports System.Security.Cryptography

Public Class frmLogin

Private Sub btnLogin_Click(sender As Object, e As EventArgs) Handles btnLogin.Click
    Dim conStr = "Server=localhost;User Id=root;Password=;Database=accountinfo"
    Dim SQL = "SELECT * FROM accountinfodb WHERE Usernames = @uname AND `Passwords` = MD5(@pword);"

    Dim HashedPass As String = ""

    'Converts the Password into bytes, computes the hash of those bytes, and then converts them into a Base64 string

    Using MD5hash As MD5 = MD5.Create()

        HashedPass = System.Convert.ToBase64String(MD5hash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(txtPasswd.Text)))

    End Using

    ' this object will be closed and dispose @ End Using
    Using dbCon As New MySqlConnection(conStr)
        ' the command object likewise
        Using cmd As New MySqlCommand(SQL, dbCon)

            dbCon.Open()
            cmd.Parameters.Add(New MySqlParameter("@uname", txtUsername.Text))
            cmd.Parameters.Add(New MySqlParameter("@pword", HashedPass))

            ' create a Using scope block for the reader
            Using rdr As MySqlDataReader = cmd.ExecuteReader

                If rdr.HasRows Then
                    MessageBox.Show("Login successful!", "Welcome")
                    frmProduct.Show()
                Else
                    MessageBox.Show("Oops! Login unsuccessful!(Password/Username may be wrong, or the user may not exist!")
                    txtUsername.Clear()
                    txtUsername.Focus()
                    txtPasswd.Clear()
                End If
            End Using
        End Using           ' close/dispose command

    End Using               ' close/dispose connection


End Sub

Plutonix for Sanitizing Parameters in my database

Imports MySql.Data.MySqlClient
Imports System.Security.Cryptography
Imports System.Text


Public Class frmSignup
Dim ServerString As String = "Server=localhost;User Id=root;Password=;Database=accountinfo"
Dim SQLConnection As MySqlConnection = New MySqlConnection
Dim HashedPass As String = ""


Private Sub Form3_Load(sender As Object, e As EventArgs) Handles MyBase.Load
    SQLConnection.ConnectionString = ServerString

    Try
        If SQLConnection.State = ConnectionState.Closed Then
            SQLConnection.Open()
            MsgBox("Successfully connected to DB")

        Else
            SQLConnection.Close()
            MsgBox("Failed to connect to DB")
        End If
    Catch ex As Exception
        MsgBox(ex.ToString)

    End Try
End Sub

Public Sub SaveAccountInformation(ByRef SQLStatement As String)
    Dim cmd As MySqlCommand = New MySqlCommand

    With cmd
        .CommandText = SQLStatement
        .CommandType = CommandType.Text
        .Connection = SQLConnection
        cmd.Parameters.Add(New MySqlParameter("@uname", txtUsername.Text))
        cmd.Parameters.Add(New MySqlParameter("@pword", HashedPass))
        .ExecuteNonQuery()
    End With
    SQLConnection.Close()
    SQLConnection.Dispose()
End Sub

Private Sub btnSignup_Click(sender As Object, e As EventArgs) Handles btnSignup.Click
    If txtPasswd.Text = txtPasswd2.Text Then
        MessageBox.Show("Passwords Match!")


        'Converts the Password into bytes, computes the hash of those bytes, and then converts them into a Base64 string

        Using MD5hash As MD5 = MD5.Create()

            HashedPass = System.Convert.ToBase64String(MD5hash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(txtPasswd.Text)))

        End Using


        Dim SQLStatement As String = "INSERT INTO accountinfodb WHERE Usernames = @Usernames AND `Password`s = @Passwords"


        SaveAccountInformation(SQLStatement)



        MessageBox.Show("Account Successfully Registered")
        frmLogin.Show()
        frmLoginScreen.Hide()
    Else
        MessageBox.Show("Passwords Do Not Match!")
        txtPasswd.Text = Focus()
        txtPasswd.Clear()
        txtPasswd2.Text = Focus()
        txtPasswd2.Clear()

    End If
End Sub
End Class
Jcrow
  • 53
  • 2
  • 9
  • In your Login routine, you're calculating the HashedPass from the text input and supplying that to your `@pword` sql param, but in your SQL, you're passing that param to `MD5(@pword)` which is hashing the already hashed password. – Chase Rocker Jan 20 '16 at 00:17
  • @ChaseRocker I removed the MD5(@pword) portion, still doesn't work. Somehow it's not comparing the two hash values to see if they're both the same. – Jcrow Jan 20 '16 at 00:23
  • did you step thru the code...is it throwing any errors? Or does the mySqlDataReader just not return any rows? – Chase Rocker Jan 20 '16 at 00:30
  • @ChaseRocker Nope, no errors at all. Runs through just fine. My signup form stores the password into the DB hashed, somewhere in my login though, it's not properly comparing the hash in the DB with the password entered in the login form – Jcrow Jan 20 '16 at 00:31
  • Just to narrow it down and make sure your code logic and syntax is correct, does it work if you comment out the Password comparison (in the SQL and in your params) and just check the Username? – Chase Rocker Jan 20 '16 at 00:35
  • @ChaseRocker I deleted everything MD5 related and it's fine, I changed the second parameter around to txtPasswd and HashedPass with MD5(@pword) but still doesn't work, I'm so confused lol. – Jcrow Jan 20 '16 at 00:38
  • Can you update your code above to what it looks like now? Also, are you sure your DB password field is long enough to hold the entire hash? – Chase Rocker Jan 20 '16 at 00:42
  • @ChaseRocker Yup I'm an idiot, my max length was set to 14 and not 32, so the entire hash wasn't even being given to the DB, it logins now, but the hash does not look like MD5 whatsoever. The MD5 hash for Password1 is "2ac9cb7dc02b3c0083eb70898e549b63" but for me it's "KsnLfcArPACD63CJjlSbYw==" any ideas? – Jcrow Jan 20 '16 at 00:49
  • that's the Base64String of the md5 – Chase Rocker Jan 20 '16 at 00:53
  • the first is hex, the second is B64; they could be the same hash, just different encoding – Ňɏssa Pøngjǣrdenlarp Jan 20 '16 at 00:54
  • @Plutonix Oh okay, so it is essentially the same thing? Now if I remember correctly I was told MD5 has become outdated? What would a better implementation be? – Jcrow Jan 20 '16 at 00:56
  • @ChaseRocker Okay thank you! – Jcrow Jan 20 '16 at 00:56
  • they still wont compare with different encoding, the more up to date version [uses SHA as in this link I gave you before](http://stackoverflow.com/a/31150288/1070452). Also, try to register a new user with the name `D'Angelo`. You should move the MD5 stuff to a method so you are SURE it is going the same for both creating and login – Ňɏssa Pøngjǣrdenlarp Jan 20 '16 at 00:58
  • I did that and I got an error in my MySQL syntax which points to the username :^) So using SQL parameters similar to in my Loginform will fix this? @Plutonix – Jcrow Jan 20 '16 at 01:02
  • yes. see also https://imgs.xkcd.com/comics/exploits_of_a_mom.png – Ňɏssa Pøngjǣrdenlarp Jan 20 '16 at 01:03
  • @Plutonix Can you look at the bottom of the OP and see where I went wrong? I tried following the same procedure as my Login Form but it's setup awkwardly with calling my sub SaveAccountInfo() – Jcrow Jan 20 '16 at 01:07
  • Move the INSERT SQL into the method (`SaveAccountInformation`) that uses it - that is where it belongs. Then just pass the username and the hashedpass to it. then examine the param placeholders in SQL to those created - they dont match. @Usernames != @uname – Ňɏssa Pøngjǣrdenlarp Jan 20 '16 at 01:10

0 Answers0