Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Problem with md5 (hash != real_hash)

Discussion in 'Editor & General Support' started by Murdokiler, Feb 22, 2011.

  1. Murdokiler

    Murdokiler

    Joined:
    Feb 22, 2011
    Posts:
    8
    Hi!

    I have a problem with Online High Score Script of the Wiki. The problem is to the check of hash with the real hash in addscore.php.

    If I delete "if" conditional in the script, and not check hash with real_hash, the score is recorded in db correctly.

    Thanks, and sorry for my english.

    HSController.cs

    Code (csharp):
    1. using UnityEngine;
    2. using System.Collections;
    3.  
    4.  
    5. public class HSControl : MonoBehaviour {
    6.  
    7. private string secretKey="mySecretKey"; // Edit this value and make sure it's the same as the one stored on the server
    8. string addScoreUrl = "http://www.server.com/addscore.php?"; //be sure to add a ? to your url
    9. string highscoreUrl = "http://www.server.com/display.php";
    10. private string nam = "pruebaHash2";
    11.     private int sc = 109991;
    12.  
    13. void Start() {
    14.    // getScores();
    15.     StartCoroutine(postScore(nam, sc));
    16. }
    17.  
    18. IEnumerator postScore(string name, int score) {
    19.     //This connects to a server side php script that will add the name and score to a MySQL DB.
    20.     // Supply it with a string representing the players name and the players score.
    21.    // Md5Sum hash=new Md5.Md5Sum(name + score + secretKey);
    22.     string hash = Md5Sum(name.ToString() + score.ToString() + secretKey);
    23.     Debug.Log(hash);
    24.  
    25.     string highscore_url = addScoreUrl + "name=" + name + "&score=" + score + "&hash=" + hash;
    26.        
    27.     // Post the URL to the site and create a download object to get the result.
    28.     WWW hs_post = new WWW(highscore_url);
    29.     yield return hs_post; // Wait until the download is done
    30.     if(hs_post.error != null) {
    31.         print("There was an error posting the high score: " + hs_post.error);
    32.     }
    33. }
    34.  
    35. // Get the scores from the MySQL DB to display in a GUIText.
    36. IEnumerator getScores() {
    37.     gameObject.guiText.text = "Loading Scores";
    38.     WWW hs_get = new WWW(highscoreUrl);
    39.     yield return hs_get;
    40.    
    41.     if(hs_get.error != null) {
    42.         print("There was an error getting the high score: " + hs_get.error);
    43.     } else {
    44.         gameObject.guiText.text = hs_get.text; // this is a GUIText that will display the scores in game.
    45.     }
    46. }
    47.  
    48. static string Md5Sum(string strToEncrypt)
    49. {
    50.     System.Text.UTF8Encoding ue = new System.Text.UTF8Encoding();
    51.     byte[] bytes = ue.GetBytes(strToEncrypt);
    52.  
    53.     // encrypt bytes
    54.     System.Security.Cryptography.MD5CryptoServiceProvider md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
    55.     byte[] hashBytes = md5.ComputeHash(bytes);
    56.  
    57.     // Convert the encrypted bytes back to a string (base 16)
    58.     string hashString = "";
    59.  
    60.     for (int i = 0; i < hashBytes.Length; i++)
    61.     {
    62.         hashString += System.Convert.ToString(hashBytes[i], 16).PadLeft(2, '0');
    63.     }
    64.  
    65.     return hashString.PadLeft(32, '0');
    66. }
    67. }
    addscore.php

    Code (csharp):
    1. <?php
    2.         $db = mysql_connect(server,user,pass') or die('Could not connect: ' . mysql_error());
    3.        mysql_select_db('mydb') or die('Could not select database');
    4.  
    5.        // Strings must be escaped to prevent SQL injection attack.
    6.        $name = mysql_real_escape_string($_GET['name'], $db);
    7.        $score = mysql_real_escape_string($_GET['score'], $db);
    8.        $hash = $_GET['hash'];
    9.  
    10.        $secretKey="mySecretKey"; # Change this value to match the value stored in the client javascript below
    11.        
    12.    
    13.    
    14.  
    15.        $real_hash = md5($name . $score . $secretKey);
    16.    
    17.        if($real_hash == $hash) {
    18.            // Send variables for the MySQL database class.
    19.            $query = "insert into scores values (NULL, '$name', '$score');";
    20.            $result = mysql_query($query) or die('Query failed: ' . mysql_error())
    21.        }
    22. ?>
     
    nx-sm likes this.
  2. Murdokiler

    Murdokiler

    Joined:
    Feb 22, 2011
    Posts:
    8
    I tried to use only one variable to save in DB, and the result is same. Hash is not equal to real_hash when tested in addscore.php file.

    However, if not use the verification of hash with real hash, the connection to the database and writing data is correct.

    Why the hash sent not is equal to generated by the php file? Where am I failing?

    Thanks!
     
    nx-sm likes this.
  3. nx-sm

    nx-sm

    Joined:
    Jul 4, 2015
    Posts:
    10
    Did you found the fix ? I am having this problem right now and I can't believe still nobody replied here :/ ..
    Is it something to do with server side missing some support for md5 or..?
     
  4. Apparaten_

    Apparaten_

    Joined:
    Jul 9, 2013
    Posts:
    45
    Not to be rude or anything but "Security by obscurity" is not a very good practice, this code could easily be tampered with through some IL-Code reading to mess with the results.

    as an answer to your question regarding the faulty hashes, it could be something regarding Encoding, and sending through the web via the query string.

    The hasher can be hashing some chars that are not supported,
    read http://www.w3schools.com/tags/ref_urlencode.asp and check the Gûnther example.
     
  5. nx-sm

    nx-sm

    Joined:
    Jul 4, 2015
    Posts:
    10
    Thank you for the reply! Could you please suggest another way of doing this ?
     
  6. wahyuway

    wahyuway

    Joined:
    Oct 7, 2013
    Posts:
    84
    sorry to bump this.
    Been around to solve and tried all the script i've found on google. But still nothing. md5 hash c# and php still not match. Any other to solve this?
     
  7. ArachnidAnimal

    ArachnidAnimal

    Joined:
    Mar 3, 2015
    Posts:
    1,760
    Is it possible the hash is taking into consideration the modified date of the file? In some systems the modified date / file creation date is considered in the hash value of a file. I don't know if this applies to your situation or not.