|
Putting comments in your code would be helpful. Helps give some idea of what is going on
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
|
|
|
|
|
Hi
I have the following function for returning a user specific salt using a stored procedure in mySQL
But my code doesn't seem to be returning a value from my OUTput parameter, can anyone see a problem
Cheers
code is
Sub getSalt(ByVal sender As Object, ByVal e As EventArgs)
'Create connection string to pass database, string holds login information to mySQL,
Dim connectionString As String
connectionString = "Server=localhost; uid=;database=ftp1;"
'Builds .net mysql connection and passes connection string into method
Dim connection As New MySqlConnection(connectionString)
'Create mySql command string for passing query or SPROC(Stored Procedure)
Dim cmdString As New MySqlCommand
'Set Command to equal mySql connection,t so can pass SQL query
cmdString.Connection = connection
'Set command string to equal SPROC
cmdString.CommandText = "sp_getSalt"
'ONLY PLACE THIS IF SPROC, sets the command to a SPROC
cmdString.CommandType = CommandType.StoredProcedure
Dim literr As New LiteralControl
Dim param As MySqlParameter
Try
param = cmdString.Parameters.Add("?p_salt", MySqlDbType.VarChar)
cmdString.Parameters("?p_salt").Direction = ParameterDirection.Output
Dim salt As String = cmdString.Parameters("?p_salt").Value
sendData(sender, e, salt)
Catch ex As Exception
literr.Text = ex.Message
MsgBox(ex.Message)
End Try
Procedure is
CREATE DEFINER=`jshort`@`localhost` PROCEDURE `sp_getSalt`(IN p_userName VARCHAR(20), OUT p_salt varchar(500))
BEGIN
SELECT salt INTO p_salt FROM Users WHERE UserName = p_UserName;
END
|
|
|
|
|
Perhaps if you tried to actually execute the procedure...
---
single minded; short sighted; long gone;
|
|
|
|
|
i know i jus realised how retarded i was, it is also helpful if I passed the username into it as well...
But it still doesn't work
Correct me if my reasonin is wrong here
when i create a user i provide them with a random salt
Then when i encrpyt the password, i also add the salt into that encryption, so providing a unique password (yes/no?)
When i log in
I get the application to grab the users salt based on the username entered
I then need to do the same process as before of taking the username entered and using the salt i retrieved, and encrpyting them again
and this should *in theory* be the same password as stored
but it doesn't seem to work like this, so i am takin my reasoning is fatally flawed somewhere
|
|
|
|
|
No, that's correct. The problem could be in how you stored the salt. What you created your salt and added it to the password, are you getting back the EXACT same salt out of the database just before you add it to the entered password attempt?
|
|
|
|
|
I have checked that by gettin it display the value in messagebox's and it returns the same salt value which is commited to the database each time
|
|
|
|
|
this is the code that i use to create the salt
Dim shaHash As New System.Security.Cryptography.SHA384Managed()
Dim hashedBytes As Byte()
Dim encoder As New UTF8Encoding()
Dim data() As Byte
data = New Byte(6) {}
Dim rng As New RNGCryptoServiceProvider
rng.GetBytes(data)
Dim PSalt As String = encoder.GetString(data)
MsgBox(PSalt)
i then do the following to encrypt my password and i just pass the psalt variable into my salt field in database
hashedBytes = shaHash.ComputeHash(encoder.GetBytes(txtPassword.Text & PSalt))
Dim PWhash As String = encoder.GetString(hashedBytes)
param = cmdString.Parameters.Add("?p_Password", MySqlDbType.VarChar)
param.Direction = ParameterDirection.Input
param.Value = PWhash
MsgBox(PWhash)
to log in I have the following function which gets my salt
cmdStringS.CommandText = "sp_getSalt"
cmdStringS.CommandType = CommandType.StoredProcedure
Dim literr As New LiteralControl
Dim param As MySqlParameter
Try
param = cmdStringS.Parameters.Add("?p_username", MySqlDbType.VarChar)
param.Direction = ParameterDirection.Input
param.Value = txtUserName.Text
param = cmdStringS.Parameters.Add("?p_salt", MySqlDbType.VarChar)
cmdStringS.Parameters("?p_salt").Direction = ParameterDirection.Output
connection.Open()
cmdStringS.ExecuteScalar()
connection.Close()
Catch ex As Exception
literr.Text = ex.Message
MsgBox(ex.Message)
End Try
Dim salted As String = cmdStringS.Parameters("?p_salt").Value
sendData(sender, e, cmdStringS, salted)
I then pass salted variable to my data submit method, where i do the followin wit the password and hash
hashedBytes = shaHash.ComputeHash(encoder.GetBytes(txtPassword.Text & salted))
Dim PWhash As String = encoder.GetString(hashedBytes)
param = cmdString.Parameters.Add("?p_Password", MySqlDbType.VarChar)
param.Direction = ParameterDirection.Input
param.Value = PWhash
|
|
|
|
|
Hmmm...I can't really see anything wrong with it. I've done similar stuff in the past, but instead of using UTF8 encoding to convert the salt to a string, I converted it to a Base64 string and added that you the password.
I've always generated the salt in a seperate function, generated the salted password hash in another...
Private Function GenerateSalt(ByVal size As Integer) As String
' The drop dead minumum useful salt size is 5 bytes, and
' a max of 12 would generate a string of 8 to 20 Base64 characters.
size = Math.Min(Math.Max(5, size), 12)
Dim rng As New RNGCryptoServiceProvider()
Dim buffer(size) As Byte
rng.GetBytes(buffer)
Return Convert.ToBase64String(buffer)
End Function
Private Function GenerateSaltedPasswordHash(ByVal password As String, ByVal salt As String) As String
' This section is GREATLY simplified. I normally do something MUCH more
' wicked to combine the password and salt, and hash it. Of course, I'm not saying what...
Dim saltedPassword As String = password & salt
Dim SHA As New SHA512Managed
Dim buffer() As Byte = Encoding.UTF8.GetBytes(saltedPassword)
Return Convert.ToBase64String(SHA.ComputeHash(buffer))
End Function
Why do I use Base64 so much?? Easy. The return values are suitable for storage on/in ANY medium. XML files, any database, any file, ...
This version of the function would generate a password hash string about 80 to 100 characters long. Your milage may vary. This length of password may or may NOT be acceptable to you. Consider the situation where you may have 60,000,000 users. That's a password column containing 6GB of data, not counting the salt storage, or any other user data.
|
|
|
|
|
boyindie wrote: Dim data() As Byte
data = New Byte(6) {}
Dim rng As New RNGCryptoServiceProvider
rng.GetBytes(data)
Dim PSalt As String = encoder.GetString(data)
That's not a good way to create a random string. The random bytes that you create might not correspond to actual characters in that encoding. Also, as some characters are encoded into more than one byte, you might create a byte patten that ends in a half character.
Just start with a non-random string like "asdf" until you have got the rest of the code working.
param = cmdString.Parameters.Add("?p_Password", MySqlDbType.VarChar)
param.Direction = ParameterDirection.Input
param.Value = PWhash
Unless you have set up your database to use unicode, it will not be able to store any unicode characters.
There is no code to actually store anything in the database. Is it missing, or did you just omit it?
cmdStringS.ExecuteScalar()
Why are you using ExecuteScalar, when you don't read anything from the result? Use ExecuteNonQuery instead.
---
single minded; short sighted; long gone;
|
|
|
|
|
There is actually code for commiting to the database, I just missed it out
'encrypt(password)
hashedBytes = shaHash.ComputeHash(encoder.GetBytes(txtPassword.Text & PSalt))
Dim PWhash As String = encoder.GetString(hashedBytes)
param = cmdString.Parameters.Add("?p_Password", MySqlDbType.VarChar)
param.Direction = ParameterDirection.Input
param.Value = PWhash
I have the thing working when i don't use the salt, but as soon as I add the salt it will never match the value stored in the table
|
|
|
|
|
boyindie wrote: hashedBytes = shaHash.ComputeHash(encoder.GetBytes(txtPassword.Text & PSalt))
Dim PWhash As String = encoder.GetString(hashedBytes)
You can't just take any byte sequence and decode it as UTF-8. Only a byte sequence that is created by encoding a string as UTF-8 can be safely decoded that way.
If you want to create a string representation of a byte sequence, use something like base64.
boyindie wrote: I have the thing working when i don't use the salt
Then you were just lucky to get byte sequences that happened to be possible to decode using the UTF-8 encoding without losing data.
---
single minded; short sighted; long gone;
|
|
|
|
|
I have now sorted this issue out I have the login now workin along with the salt
I am usin the method suggested by dave further back in the saga of this string
Just need to learn how to get sessions workin or a cookie, and i am sorted
|
|
|
|
|
Hi guys i want to built my own equalizer(sound control) using vb.net.so can anyone give me the codings to develop it.Thanks in advance..
Bala
|
|
|
|
|
bala_kathir wrote: so can anyone give me the codings to develop it.Thanks
If anyone gave you the code to do it, you wouldn't be developing it. If code is what you want Google for "VB.NET audio equalizer" and stuart hhunting. We're not going to hunt down code for you.
CP is here to help you write your own code. If you get to a point in your code where you're stuck, ask a specific question about it and we'll help.
|
|
|
|
|
How to disable back and forward button in browser?
Ashish K. Vyas
|
|
|
|
|
One of the best Method is Kill the session using Session.Abondon(); once user is logged out
Regards,
Satips.
Don't walk in front of me, I may not follow;
Don't walk behind me, I may not lead;
Walk beside me, and just be my friend. - Albert Camus
|
|
|
|
|
What the ...... ???? What does abandoning the session on the server-side have ANYTHING to do with the client-side's browser buttons??!?!?!?!?!
|
|
|
|
|
You can't disable the back button as far as I know, but you can add code in javascript so that when someone clicks back button, History + 1, so it will never go back.
Google that
|
|
|
|
|
Hi,
Can you send me that code(java script)and let me know where i need to add that code.
thank you
Ashish K. Vyas
|
|
|
|
|
<script language="javascript"><br />
history.forward();<br />
</script>
|
|
|
|
|
i am having this error when i am about to delete a data row
inline with this is a message box saying:
object reference not set to an instance of an object. do you want to correct the value?
if i click yes, it will delete the row if no it will ignore the deletion
i've already checked all of my declarations and pretty sure that i've declared everything right.
here's my code:
Private Sub delCol_ButtonColumnClick(ByVal sender As Object, ByVal e As Leadit.ExtendedDataGrid.ButtonColumnEventArgs) Handles delCol.ButtonColumnClick
Dim row As Integer
Dim hourdiffBtn As Integer
Dim sBtn As DateTime
Dim eBtn As DateTime
Dim res As MsgBoxResult
row = Me.dtgCustomSched.CurrentRowIndex
res = MsgBox("Are you sure you want to delete the schedule on " + Me.dtgCustomSched.Item(row, 0), MsgBoxStyle.YesNo)
If res = MsgBoxResult.Yes Then
sBtn = Date.Parse(Me.dtgCustomSched.Item(row, 1))
eBtn = Date.Parse(Me.dtgCustomSched.Item(row, 2))
hourdiffBtn = getHrValue(sBtn, eBtn)
lastRowNumber = lastRowNumber - 1
Me.remainingHour2 = Me.remainingHour2 + hourdiffBtn
Me.txtLookUpHours.Text = remainingHour2.ToString
addSchedule.Table("ttcpcustomizedschedule").Rows.RemoveAt(row)
Else
Exit Sub
End If
End Sub
dtgcustomsched is the name of my datagrid
addsched is the name of the dataset
i made one of the datagrid cell as a customized button.. it already work fine with my other codes.. the problem only occur here
the error occurs on the line in bold.
also, this error only appears when i delete the last row on the datagrid, but if i delete anything rather than the last row everything works fine and no error is being detected
please help. thanx!
i am using vb.net 2002
|
|
|
|
|
cutequencher wrote: addSchedule.Table("ttcpcustomizedschedule").Rows.RemoveAt(row)
Most likely problem is that the Table call is returning null/nothing. Something sure is.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
maybe youre right but im confuse because when i click yes it continue to delete the row but with that error mesage. ive read some thread and says that its a bug on vb.net 2002 datagrid, but then i still need to resolve it, i just wonder if there is a way to disable the autocommit of datagrid? thanx!
|
|
|
|
|
Hi all,
Sorry to be a pain and this may just be a simple answer but I can't seem to find out how to do it.
I'm am currently developing some GIS software, I have the basic toolstrip above the map with all your tools eg Pan, zoom etc. The problem is that I can't seem to find how to have a toggle button on the toolstrip so when Pan is select, the button is pushed down and what ever was select pops back up.
This seems like a simple thing, it would be a bit strange if I had to do it in code.
Thanks for you help
Nathan
|
|
|
|
|
Do you have a sample of your code where you think it should be working?
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
|
|
|
|