I'm trying to implement a login feature in my project. In order to make it "secure" I whant to try to use the user system provided by phpmyadmin (my tool to manage my databases) rather than login in with the root user and then store usernames and passwords in a table and verify them etc.
I tried to add a new user in phpmyadmin and then I looked the SQL code that represented the code to add a new user :
CREATE USER 'username_test'#'localhost' IDENTIFIED WITH mysql_native_password AS '***';
GRANT SELECT ON *.* TO 'username_test'#'localhost' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
GRANT ALL PRIVILEGES ON `restaurant_app`.* TO 'username_test'#'localhost';
So my goal was to use this SQL to register-login users in my app. But I can't figure out how to provide the password, I don't fully understand the first part of this command. More over, I would like you to tell me if using the phpmyadmin user feature is a good idea or if I should use the classic way to do this : connect to the database using (user:"root", passwd:"") and look into my own table containing all the users logins ?
No, it is not a good idea. You can use bcrypt to store hashed passwords instead of plain text passwords. In the bacend you would hash the password that comes from the front-end and compare that value with the one in the database.
You can read this post to see some examples.
So we are running a opensource pos project named "chromispos" based on unicenta. Sadly we have lost the database root password and we would like to retrieve it. The database runs locally with wampp in MySQL. I know the fact it is possible to change the database password for the root user but since we cannot change the password again in the POS software it will not connect anymore.
Is there anyway I can retrieve the password? This is the source file of the en/decryption:
https://github.com/micolous/Openbravo/blob/master/src-pos/com/openbravo/pos/forms/AppViewConnection.java
The hash to be decrypted:
crypt:6FF1981268FBCD0CBB9DB2A39005780D
The root password will be stored somewhere in chromispos if that is still operational.
Alternately create a new database user with the same access level and use this as the user root access. After starting with skip-grant-tables, copy the root user row from mysql.user changing the username and password columns.
I've create an application LOGIN/REGISTER with this tutorial.
My problem is, if I put nothing on the register view of my app (name, username, age, password), it create an user on my table with nothing inside (just a number on "user_id" column) and I can sign in with nothing in "username" and "password" on the login view of my app.
And all my LOGIN/REGISTER android app becomes useless...
If you don't understand what I say, you can try my app.
For information, I've change some element to not give you all access to my app :
In "LoginRequest.class", I have change my website by xxx at this line :
private static final String LOGIN_REQUEST_URL ="http://xxxx.net/Login.php";
In "RegisterRequest.class", I have change my website by xxx at this line :
private static final String REGISTER_REQUEST_URL ="http://xxxx.net/Register.php";
In "Login.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
In "Register.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
Thank you for your help.
The only thing you need to do is validations
Put validation while registering and login. Don't call API if username, password and other fields are blank.
You need to check if user is entering a proper email-id , password should be more then 6 characters with combination of number and special character like stuff.
And in your server side do write procedures to validate the username or passwords.
You can also use an ORM which can protect you from injections.
Simple regex to vaid email-id would be
/^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}#)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*#(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD
I have encrypted password and stored into mysql table,actually couple of table are there to store different user credentials but column name(PASSWORD) is same in all tables.
There are so many scenario's are there in my project to connect different servers with user credentials.So My requirement is rather than decrypt password in all places(after select statement), need to decrypt in a common area ,it could be Listener or some thing.
When PASSWORD column find in select statement need to decrypt password.
please suggest how to achieve?
Thanks,
Raj
I am creating a JFrameApplet (In Java) with a log in (SQLite) but I am struggling to understand how to compare a wanted username, against a username that is already taken:
For Example: I want the username JoeBloggs, but it is taken, how do I compare a wanted username against one already made.
I have an SQLite users.db and the field is USERNAME.
Thank you for any assistance.
Try searching up the UNIQUE constraint.
When creating a table useCREATE TABLE Users(Id INTEGER, USERNAME TEXT UNIQUE);
so if JoeBloggs is already an entry in the db trying to add it again with INSERT INTO Users VALUES(2, 'JoeBloggs'); will give you an Error: column USERNAME is not unique.