How do I encrypt password in Construct 2?

Get help using Construct 2

Post » Sat Jul 23, 2016 6:04 pm

I have example PHP files here and I know how register password into database, but I already know that a password traveling into proxies and sniffers is extremelly unsecure and a bad practice in a production project.
How can I encript password directly from Construct 2? How do it in a login system? Which are the best practices for do it? If helped, I can make a tutorial explaining all the complex system.
Thanks in advance. :D
Liked something I say?
Tip. My Bitcoin address: 1PLaeKmXQ8vEdGGJqXMq3KyB8hxeddxeSv
B
24
S
7
G
4
Posts: 326
Reputation: 3,878

Post » Sun Jul 24, 2016 12:59 am

You use SSL, as in, depending on your application, it would simply be adding https:// at the beginning of the url,

Tell me more about your infrastructure. Where do yu host your PHP files? Heroku? Openshift? Most of the Paas' already have proxies with SSL certificstes and reroute the traffic from port 443 to 8080 (or other) so you don't need to do any SSL configuration other than maybe security via basic http headers.

Secure login systems are a complex subject, I wouldn't recommend them for an intermediate/beginner.
B
42
S
17
G
17
Posts: 2,247
Reputation: 17,461

Post » Sun Jul 24, 2016 5:07 am

@Whiteclaws my infraestructure is in localhost but I use ngrok for use https tunnels. I know that is a limited infraestructure but this is for the initial launch. I has this idea yesterday: encript password in C2, decript in PHP and generate hash, if hash is the same of stored in MySQL, login. But I don't know the reason for this idea, and the best practices for encript password and store in MYSQL.
I can simply register password into MySQL, but I preffer encript it.
Liked something I say?
Tip. My Bitcoin address: 1PLaeKmXQ8vEdGGJqXMq3KyB8hxeddxeSv
B
24
S
7
G
4
Posts: 326
Reputation: 3,878

Post » Sun Jul 24, 2016 5:13 am

I know that the discussions for it can help other users and be usefull to generate a new tutorial.
Liked something I say?
Tip. My Bitcoin address: 1PLaeKmXQ8vEdGGJqXMq3KyB8hxeddxeSv
B
24
S
7
G
4
Posts: 326
Reputation: 3,878

Post » Sun Jul 24, 2016 5:33 am

Hi,
for encode you password, you can use @kyatric plugin : https://www.scirra.com/tutorials/50/cb- ... algorithms

But if you want a secure login/Sign up system, i recommand for you this product : https://www.scirra.com/store/construct2 ... ystem-2257
B
17
S
10
G
19
Posts: 140
Reputation: 11,457

Post » Sun Jul 24, 2016 6:57 am

Saad Swad wrote:Hi,
for encode you password, you can use @kyatric plugin : https://www.scirra.com/tutorials/50/cb- ... algorithms

But if you want a secure login/Sign up system, i recommand for you this product : https://www.scirra.com/store/construct2 ... ystem-2257


Thanks, @Saad-Swad. :)
I need hash the password from app's field before send to database? How this can work?
Liked something I say?
Tip. My Bitcoin address: 1PLaeKmXQ8vEdGGJqXMq3KyB8hxeddxeSv
B
24
S
7
G
4
Posts: 326
Reputation: 3,878

Post » Sun Jul 24, 2016 7:20 am

For more security, you can use this plugin to do ajax requests : plugin-ajax-rsa_t94880

To hash pasword, you can use @kyatric plugin expressions. The plugin has lot of methods like you can see here : http://enjoycss.com/bg-img/custom/22725-ax2nzp.PNG

You can use for example MD5 method. If your password is "construct2", you send to you php file "CBHash.MD5("Construct2")" then the php file check if this is equal to the password registred in database.

Put you password in one of this expressions and you password will be hashed !

I recomman you to read @kyatric tutorial to know mroe about hashing methods.

Sorry for my bad english...
B
17
S
10
G
19
Posts: 140
Reputation: 11,457

Post » Sun Jul 24, 2016 2:04 pm

No, I mean like where are your SQL database and Php files hosted.
B
42
S
17
G
17
Posts: 2,247
Reputation: 17,461

Post » Sun Jul 24, 2016 4:33 pm

@Saad-Swad, I don't want buy a login/register system, but create my own and share for free for other people, thanks for the suggestion. Very good idea about MD5, is this the best algorithm or SHA? Is more secure send a hash in network than a plain password? Why? As I know, password needs be stored as encripted in database, I'm confused.
@Whiteclaws I can't understand. SQL database is in Vertrigo's PHPMyAdmin, and the php files in www folder. All in my localhost and port 81.
Liked something I say?
Tip. My Bitcoin address: 1PLaeKmXQ8vEdGGJqXMq3KyB8hxeddxeSv
B
24
S
7
G
4
Posts: 326
Reputation: 3,878

Post » Mon Jul 25, 2016 2:36 am

@DaniellMesquita Yes, like you say : password needs be stored as encripted in database.

For information, SHA512 algorithm is the best.. But the time taken to encrypt is longer than MD5 or other algorithm.

Now let's explain how to do this.

1. First, a person creates an account with username and password. Let's take for example, username : "Daniel" and password "Construct2".

When this person click on the "Sign Up" button, you send this information to your php file.


2. Your php file encypt your password with this function
Code: Select all
string hash ( string $algo , string $data [, bool $raw_output = false ] )

and registers this information into your database. (see more in php manual)

3. Now your account is created.

4. The next time, when user wants login, he enter his password and his username. When he click on login button, your Construct2 app sends this information to your php file.

5. Your php file (with sql language) retrieves from your database the encrypted password corresponding to the username.

6. Your php file encrypts the password sent (when you click on login) and compares it to the registred password (retrieved in the step 5).

7. If the encrypted passwords are equals, the user can connect, else the user can't login.
B
17
S
10
G
19
Posts: 140
Reputation: 11,457

Next

Return to How do I....?

Who is online

Users browsing this forum: No registered users and 13 guests