How do I encrypt password in Construct 2?

I have example PHP files here and I know how register password into database, but I already know that a password traveling into proxies and sniffers is extremelly unsecure and a bad practice in a production project.

How can I encript password directly from Construct 2? How do it in a login system? Which are the best practices for do it? If helped, I can make a tutorial explaining all the complex system.

Thanks in advance.

You use SSL, as in, depending on your application, it would simply be adding https:// at the beginning of the url,

Tell me more about your infrastructure. Where do yu host your PHP files? Heroku? Openshift? Most of the Paas' already have proxies with SSL certificstes and reroute the traffic from port 443 to 8080 (or other) so you don't need to do any SSL configuration other than maybe security via basic http headers.

Secure login systems are a complex subject, I wouldn't recommend them for an intermediate/beginner.

Whiteclaws my infraestructure is in localhost but I use ngrok for use https tunnels. I know that is a limited infraestructure but this is for the initial launch. I has this idea yesterday: encript password in C2, decript in PHP and generate hash, if hash is the same of stored in MySQL, login. But I don't know the reason for this idea, and the best practices for encript password and store in MYSQL.

I can simply register password into MySQL, but I preffer encript it.

I know that the discussions for it can help other users and be usefull to generate a new tutorial.

Hi,

for encode you password, you can use Kyatric plugin : https://www.scirra.com/tutorials/50/cb- ... algorithms

But if you want a secure login/Sign up system, i recommand for you this product : https://www.scirra.com/store/construct2 ... ystem-2257

Hi,

for encode you password, you can use Kyatric plugin : https://www.scirra.com/tutorials/50/cb- ... algorithms

But if you want a secure login/Sign up system, i recommand for you this product : https://www.scirra.com/store/construct2 ... ystem-2257

Thanks, — <img src="{SMILIES_PATH}/icon_e_smile.gif" alt=":)" title="Smile">

I need hash the password from app's field before send to database? How this can work?

For more security, you can use this plugin to do ajax requests : plugin-ajax-rsa_t94880

To hash pasword, you can use Kyatric plugin expressions. The plugin has lot of methods like you can see here : http://enjoycss.com/bg-img/custom/22725-ax2nzp.PNG

You can use for example MD5 method. If your password is "construct2", you send to you php file "CBHash.MD5("Construct2")" then the php file check if this is equal to the password registred in database.

Put you password in one of this expressions and you password will be hashed !

I recomman you to read Kyatric tutorial to know mroe about hashing methods.

Sorry for my bad english...

No, I mean like where are your SQL database and Php files hosted.

—, I don't want buy a login/register system, but create my own and share for free for other people, thanks for the suggestion. Very good idea about MD5, is this the best algorithm or SHA? Is more secure send a hash in network than a plain password? Why? As I know, password needs be stored as encripted in database, I'm confused.

Whiteclaws I can't understand. SQL database is in Vertrigo's PHPMyAdmin, and the php files in www folder. All in my localhost and port 81.

— Yes, like you say : password needs be stored as encripted in database.

For information, SHA512 algorithm is the best.. But the time taken to encrypt is longer than MD5 or other algorithm.

Now let's explain how to do this.

1. First, a person creates an account with username and password. Let's take for example, username : "Daniel" and password "Construct2".

When this person click on the "Sign Up" button, you send this information to your php file.

2. Your php file encypt your password with this function

string hash ( string $algo , string $data [, bool $raw_output = false ] )[/code:2bbf67t1] 
and registers this information into your database. (see more in [url=http://php.net/manual/fr/function.hash.php]php manual[/url])

3. Now your account is created.

4. The next time, when user wants login, he enter his password and his username. When he click on login button, your Construct2 app sends this information to your php file.

5. Your php file (with sql language) retrieves from your database the encrypted password corresponding to the username.

6. Your php file encrypts the password sent (when you click on login) and compares it to the registred password (retrieved in the step 5).

7. If the encrypted passwords are equals, the user can connect, else the user can't login.

Hi guys,

— describes the way for login and regestation really good.

A similar tutorial already exists:

https://www.scirra.com/tutorials/525/simple-login-using-a-mysql-database

with the exception that the password is not encrypted. But for a simple server system also is not forcibly required because if someone has already accessed the database, then you have other problems ...

For good programming would not use GET but rather POST-Methodes. This is due to that a GET request is parsed on the URL (if the request is via a <form> tag). Would you now send this link to your friend or else the other have your login data unencrypted.

If you send the GET-Methode via AJAX you get not a new parsed URL. GET is also processed a little faster than POST. I think therefore GET was used in the example.

If someone listens to the connection (Like "man-in-the-middle-attack") it does not matter whether the request will be sent via GET or POST. For something like this it is good the variables for login data not call "PW" or "password" or similar. A hacker would look for it first. And use a SSL connection as already said. But even this is not always safe against "man-in-the-middle-attack".

What really matters is,

Save your server against harmful inputs!!!

And that's also pretty easy. Please read this tutorial:

http://www.w3schools.com/php/php_form_validation.asp

And

prevent the download of critical data (e.g. database)

The encryption via JavaScript you need it for storrage the password local (e.g. cookie, sessionStorage)

But should use with care!!! Passwords should never be stored ...

For a top secure server it requires much more.

All datas on the server have to be safe although a person has access to the server data.

Then begins:

-server cascade

-encrypted programcode (to safe the decoding of your data)

-encrypted database (illogical data input)

-database cascade

-a combination of password and token (token=temporary password)

-person tracking (to be sure the logging user is really the registered user)

-attack logs (banned hacker from server and identify attack strategies -> safe it)

... and everything one can think of

And very important:

Thinking never your server is secure!

... I hope my english was polite and understandable.

Whiteclaws, —, BillAlex, thanks for all!

Soon I'll think to implement it.

Whats your final considerations?

Look into PHP https and SSL, Idk dude, maybe Let's Encrypt as a certificate authority

Learn SSL, Embrace SSL, Adore SSL

Look into PHP https and SSL, Idk dude, maybe Let's Encrypt as a certificate authority

Learn SSL, Embrace SSL, Adore SSL

Using https in a ngork's tunnel isn't enought? I need use my own SSL certificate?

ngrok uses Https, only with their own certificates, if you want to launch your own app, you'll need your own certificate,

use whatever works best for you, as long as it implements TLS/SSL, you'll be fine.