| View previous topic :: View next topic |
| Author |
Message |
flash harry
Newbie cheater
![]() Reputation: 0
Joined: 19 Jun 2010
Posts: 16
|
 Posted: Sun Sep 12, 2010 2:45 pm Post subject: [C#] Login form |
 |
|
i am trying to make a very simple username/password login screen in C# that checks login details against a simple .txt file hosted on a server.
example:
just a text file on server named login_inf.txt that will contain:
user0:pass0
user1:pass1
user2:pass2
user3:pass3..........etc...
and then just protect it with .htaccess
this is what i have so far:
| Code: |
using System.Net;
using System.Web;
using System.Security.Cryptography;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
string dataFile = "my-website-name . com/login_inf.txt";
WebClient wc = new WebClient();
UTF8Encoding utf8 = new UTF8Encoding();
string requestHtml = "";
requestHtml = utf8.GetString(wc.DownloadData(dataFile));
string[] loginData = requestHtml.Split(':');
if (loginData[1] != txtUser.Text || loginData[0] != md5(txtPass.Text))
{
MessageBox.Show("Login Success");
}
else
{
MessageBox.Show("Login Failed");
}
}
}
}
|
but im having a problem with it, im not sure why but all it does is check if the file is present on the server and does not check the file for username and password like i want it to.
the problem is even if you enter a wrong username/password it still say login succesful 
any ideas why its not checking the text file for username and password?
any help is most appreciated (also i want to keep it simple, and it does not need to be high security).
|
|
| Back to top |
|
 |
TROLOLOLOLOLOLOLOLOLOLOLO
Expert Cheater
 Reputation: -1
Joined: 27 Dec 2009
Posts: 100
|
| Posted: Sun Sep 12, 2010 3:04 pm Post subject: |
|
|
Use:
| Code: | private string strUser = wc.DownloadString("URL").Split(':')[0], strPass = wc.DownloadString("URL").Split(':')[1];
if (txtUser.Text != strUser || md5(txtPass.Text) != strPass)
MessageBox.Show(null, "Invalid username and or password!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
else
doLogin(); |
Something of that sort. Not very efficient and easily cracked, but eh.
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sun Sep 12, 2010 10:23 pm Post subject: |
|
|
There is a giant security hole here, namely downloading the entire username/password list onto the client's computer to do the check.
You should do the check on your own server, which means you're going to have to write a server application.
|
|
| Back to top |
|
|
flash harry
Newbie cheater
![]() Reputation: 0
Joined: 19 Jun 2010
Posts: 16
|
| Posted: Mon Sep 13, 2010 2:58 am Post subject: |
|
|
| Flyte wrote: | There is a giant security hole here, namely downloading the entire username/password list onto the client's computer to do the check.
You should do the check on your own server, which means you're going to have to write a server application. |
yes you are right, ive scrapped this idea for now until i find a better way to do it. (i really wanted to keep it simple and reasonably secure) it doesnt have to be alcatraz tho tbh.
any ideas on how to do this without having to write a server application?
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Mon Sep 13, 2010 3:47 am Post subject: |
|
|
If your server supports php it'll be very easy:
The program 'downloads' the following url using the text from the textboxes:
yourserver.com/login.php?user=xxx&pass=xxx
Then if the page contains 'success', the user is logged in.
The php script can be very simple:
(My php is a bit rusty but it should be something like this.)
| Code: |
<?php
if( $_GET["user"] == "hardcoded_username" && $_GET["pass"] == "hardcoded_password" ){
echo "success";
}else{
echo "fail";
}
?> |
|
|
| Back to top |
|
|
TROLOLOLOLOLOLOLOLOLOLOLO
Expert Cheater
Reputation: -1
Joined: 27 Dec 2009
Posts: 100
|
| Posted: Mon Sep 13, 2010 2:10 pm Post subject: |
|
|
| tombana wrote: | If your server supports php it'll be very easy:
The program 'downloads' the following url using the text from the textboxes:
yourserver.com/login.php?user=xxx&pass=xxx
Then if the page contains 'success', the user is logged in.
The php script can be very simple:
(My php is a bit rusty but it should be something like this.)
| Code: |
<?php
if( $_GET["user"] == "hardcoded_username" && $_GET["pass"] == "hardcoded_password" ){
echo "success";
}else{
echo "fail";
}
?> |
|
@OP:
If you're going to do that and have a database with users, etc., make sure to secure any string you "get":
| Code: | public function secureString($str)
{
if (function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() === 1) {
$str = stripslashes(htmlentities($str));
} else {
$str = htmlentities($str);
}
return addcslashes(mysql_real_escape_string(trim($str)), "%_");
} |
Also make all commands in the client check with the server (resend user/pass) and have the client receive its permissions.
For the login you can do something like:
| Code: |
include_once "./class_with_above_function.php";
$ac = new AboveClass();
if(isset($_GET["user"]) && isset($_GET["pass"])) {
$user = $ac->secureString($_GET["user"]);
$pass = $ac->secureString($_GET["pass"]);
//add MySQL db check stuff
} else {
print("Invalid parameters and or invalid username/password combination.");
} |
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Sep 13, 2010 7:15 pm Post subject: |
|
|
If you are still looking to use C# and your server is on Windows (or has access to a .NET emulation such as Mono) just create a web service.
Your application that accesses the service just needs to make calls to the service. Nothing internally done on the client is needed other then making the call to the service and checking if it was successful. (There are some things to keep in mind after a successful login, such as a token or session id per-login and such.)
The service can handle the rest.
_________________
- Retired. |
|
| Back to top |
|
|
NINTENDO
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 02 Nov 2007
Posts: 1371
|
|
| Back to top |
|
|
Polynomial
Grandmaster Cheater
![]() Reputation: 5
Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
|
| Posted: Tue Sep 14, 2010 8:25 am Post subject: |
|
|
If you have the ability to .htaccess, why not just have a text file that says "ok" in a protected directory. User management can then be handled directly by .htaccess and you can tell the application to log in with the credentials given. If it succeeds, you get the file fine. If it doesn't succeed, it's bad credentials. If you can, use SSL for the connection. It'll encrypt the traffic so it can't be sniffed.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
