Web developers/ Students don't save your plain password in the database. There exists a chance for HACKING!

Web developers/ Students don't save your plain password in the database. There is a chance for HACKING!

Last week, I had checked a couple of companies website's source codes to shield them from hacking. It  has been seen that, they are using plain password (as shown in the screenshot below) in their database. That is you can see the password of all registered users in the database using any database tool like PHPMYADMIN, SQLYOG etc. It can be noted that many users, using the same username and password for logging into multiple websites like gmail, onlinesbi etc. Thus hackers can easily enter into multiple website using your username and password which was stolen from a less secured website. So I recommend all of my readers to use different usernames and passwords in different websites.

Now we can come to our topic. From time to time, servers and databases are stolen or compromised by hackers all over the world. With this in mind, it is important to ensure that some important user data, such as passwords, cannot be recovered. In this tutorial , I will explain how hash technique helps us to escape from these situations.

What is "hashing"

Before the brief discussion we want to know that what is hashing technique. The theoretical definition of  hashing is given below.

Hashing converts a piece of data (either small or large), into a relatively short piece of data such as a string or an integer.

Normally, all famous hashing algorithms are "one-way" algorithms means, it will convert your information (say password) into a string with some alphanumeric characters. md5(), crc32() etc are widely using hashing functions.

Hashing using PHP, An example! 

In PHP, there are many built in functions for hashing and its format is very simple compared to other programming languages.
An example PHP hash function is md5(). Please use this code for md5 hashing

<?php $info = "PravySoft Calicut"; echo "My information before md5=".$info; $info_hash = md5($info); echo "<br>My information after md5=".$info_hash; ?>  The screenshot below shows typical result of this code

From the screenshot, it is clear that the md5 function will convert the information into 32 character hexadecimal number (Number 0,1,2,3,4,5,6,7,8,9 and characters A,B,C,D,E,F). One hexadecimal character can be represented using 4 bits (ie 1=0001, and A=1010) thus md5 result set dimension is 128 bit.

You cannot reconstruct the original information (pravysoft calicut) from  the result (00d79e8e609cfbdf5b75d80fdef96fb4). 

[Note: Actually there are some hacking strategies to break/interpret md5, but that is out of scope of this tutorial, Ofcourse you can send me a request to know that techniques!!].

User Registration and Login Steps

Now we can check the user registration steps

1. User fills their information in the registration form

2. It is better to use password fields type as password (<input type="password" >)

3. Submitted data is received by the web-server

4. Convert submitted password to md5 code. Discard original password, it will not use anywhere!

5. Save this md5 data in the corresponding field in the database

Now we can check the steps for user login process

1. The registered user now type username and password in the login window.

2. The submitted password is converted to md5 code using md5 function.

3. The code will compare the usernames as well as md5 code based passwords.

5. If they match, it will grant access to the user.

Thus if any hacker stolen the database they will only get Md5 version of the password only. Not their original secret password!!. Thus the users are protected from password hijackers.

But there are also some chances for hacking the password encrypted using hashing algorithm. For showing a demo I am using another hashing function crc32() [md5 code width is 128 character, so for simulation it will take some time, the crc32() use only 32bits for decryption thus its simulation will complete faster]

<?php $info = "PravySoft Calicut";// CONSIDER THIS IS MY LOGIN PASSORD echo "My information before crc32=".$info; $info_hash = crc32($info); echo "<br>My information after crc32=".$info_hash; ?>

The screenshot below shows the result of the above code.

From the screenshot it is clear that, the hash code of the string "PravySoft Calicut" is -332908207. Ofcourse a hacker who has stolen the database cannot recover the string ( "PravySoft Calicut" ) from this number (-332908207). But he can login to the website using another password and that hack is explained below. As you know that cr32 using 32 bit encoding, thus it has only 2 to the power 32 (2^32) combinations only. Thus there is a chance for another string to produce the same hash code i.e -332908207. So if you know any other string which has the same hash code (say a duplicate) can be used to login to the website. Use following code for finding duplicate string

<?php set_time_limit(0); $var = 0; while (true)  //infinite loop {  $current_value=crc32(base64_encode($var));  echo "<br>checking value=".$current_value;     if ($current_value == -332908207)     {         echo "duplicate string is ".base64_encode($var);         exit;     }      $var++; } ?>

 It will take some time to get the duplicate key/string , after getting the duplicate key you can check the hash code of that duplicate key and hash code of your string are equal. (i.e It is same as that of the hash code of the example string "PravySoft Calicut"). Thus you can access to the website using this duplicate key without knowing original string.

How you can escape from this type of hacking. Better idea is to don't use low-range hashing algorithm like crc32. It is better to use Md5() or sha1() algorithms, They have 128 bit and 160 bit hash codes respectively, Thus finding a duplicate key is very difficult and it will take very long time to get duplicate key.

Some hacking sites are keeping large number of duplicate keys to decode the hash code (Hash code database size is in the range of petabyte, ie 1000 terabyte= 1 peta byte). So hackers can find duplicate keys of some hashcodes very easily [ I am not discussing the websites they store this data(I believes that it is unethical )]. It is also a major problem for web developers to protect their website from unauthorized access. So in the next section we will discuss, how you can block duplicate key access to your websites.

It is the time for a small tea!!, I will explain some-other security issues and  ways and means to protect your site from hacking, see you soon in the next post!!

Simple php script for making Excel files

Simple PHP script for making Excel files

This tutorial describes a simple way to generate Microsoft excel file from the php script. As you notice that, there are a lot of complicated external libraries for this purpose (like phpexcel etc.). Here I am describing a simple way to generate excel files without using any external libraries.

Please copy following php code to your web server and run the file. You can see that, a spreadsheet automatically generated there and you can download the same. The contents in the excel file are the same which is given in the code.

---

<?php

            header( "Content-Type: application/vnd.ms-excel" );

            header( "Content-disposition: attachment; filename=spreadsheet.xls" );

            // print here what you want to see in excel for example:

            echo 'First Name' . "\t" . 'Last Name' . "\t" . 'Mobile' . "\n";

            echo 'Praveen' . "\t" . 'Thappily' . "\t" . '999999999' . "\n";

?>

---

I believes that this code is self explanatory. The file name should be given in the second header tag. Here the file name is “spreadsheet.xls”. It can be noted that, for changing excel column, you have to use the tab (\t”) switch and similarly to goto the next row you need to use new line switch  (“\n”) in the code as demonstrated above. Figure below shows typical output excel file.

You can use the same file for making excel file from your database (mysql or mssql), just read it using select query and echo the contents. if any doubt please contact us
info.pravysoft@gmail.com
www.pravysoft.org

How to connect two Bluetooth serial modules

Here we are going to look, how we can connect two Bluetooth serial modules. 

Here I am taking the example of Bluetooth module HC 05 because it is a widely using Bluetooth serial module (Bluetooth SPP). Serial port Bluetooth module is 3Mbps Modulation with complete 2.4GHz radio transceiver and baseband. 

HC 05 Module and important pins

Some of other features of this module are

• ·         Up to +4dBm RF transmit power
• ·         Low Power 1.8V Operation ,1.8 to 3.6V I/O
• ·         Default Baud rate: 38400, Data bits:8, Stop bit:1, Parity:No parity, Data control: has. Supported baud rate: 9600,19200,38400,57600,115200,230400,460800.
• ·         Given a rising pulse in PIO0, device will be disconnected.
• ·         Status instruction port PIO1: low-disconnected, high-connected
• ·         PIO10 and PIO11 can be connected to red and blue led separately. When master and slave are paired, red and blue led blinks 1time/2s in interval, while disconnected only blue led blinks 2times/s.
  Auto-connect to the last device on power as default.
• ·         Permit pairing device to connect as default. Auto-pairing PINCODE:”0000” as default Auto-reconnect in 30 min when disconnected as a result of beyond the range of connection.
• ·         Bluetooth protocal: Bluetooth Specification v2.0+EDR
• ·         Frequency: 2.4GHz ISM band
• ·         Modulation: GFSK(Gaussian Frequency Shift Keying)
• ·         Emission power: ≤4dBm, Class 2
• ·         Sensitivity: ≤-84dBm at 0.1% BER
• ·         Speed: Asynchronous: 2.1Mbps(Max) / 160 kbps, Synchronous: 1Mbps/1Mbps
• ·         Security: Authentication and encryption
• ·         Profiles: Bluetooth serial port
• ·         Power supply: +3.3VDC 50mA
• ·         Working temperature: -20 ~ +75Centigrade
• ·         Dimension: 26.9mm x 13mm x 2.2 mm

You can easily connect your android phone/ PC to this HC 05 module. For that, just power ON your HC module, then switch on your PC/Phone Bluetooth. Now search from your PC or Android phone, it will show the device name. Select pair option and give pair password. The default password might be 1234 or 0000. If everything is OK, then your HC-05’s pair LED (if any) will glow.

But if you want to connect to two embedded system device using HC-05 we want to do following tricks.

 

How to connect two embedded system project using Bluetooth module

HC-05 comes from the factory as SLAVE mode; that means a master (Android/PC) can easily manage the connection between the HC slave connections. But if you are connecting two HC modules, for example, you want to connect two embedded system projects,  you should do some tricks!. Otherwise, it will not works.

The reason is that, Initially Both of the modules are in slave configuration and slave-slave (or master-master) communication is not possible. So we want to change the mode of one Bluetooth module for the communication.

For this you need following tools

1. 1.      TTL to RS232 converter

1. 2.      Terminal Software (you can download it from www.pravysoft.org website)

Normally HC-05 modules are TTL module means if we directly connected this module to PC serial port the RS232 signals from PC will damage our module. So you should use a TTL to RS232 converter. If you are familiar with MAX232 chip, you can make this using simple circuit (visit http://pravysoft.blogspot.org ) for making this module.

HC 05 With built in RS232 PORT

Now you need to connect the RS232 connector to your PC. Latest PC’s does not have serial port (DB9 pin), if so you need to use  RS232 to USB converter module, note that you should install proper drivers to work USB to serial converter. You can see the corresponding ports of USB to serial converter in DEVICE MANAGER as shown in the figure.

Serial to USB convertor (Black) and HC 05 module

Device Manager window to find serial port number

 If the port number is greater than COM7, change the port number to a lower one. Otherwise, the terminal software won't detects the PORT

Then take your HC05 module and feed a 3.3V voltage for its KEY pin (Please see the first figure).

Some HC05 RS232 modules are coming with KEY PINs, for that you just place a jumper there.

HC05 with Key Jumber is shorted

Open terminal software select correct serial port

Please note that you should select baud rate of  38400.

To test all connections are ok or not, you just type AT and press enter

You will get continuous OK string, don’t worry please power off your HC05 module and reopen terminal now.

Again connect the module using terminal software and sent AT+ROLE=1

Terminal software window

If everything is ok, then your module become MASTER now. To check it is master or not just power ON the device and search it using a phone.

Alternatively power on another HC module (slave config) and Power on configure HC module, if it is MASTER, it will automatically connect to the slave module (Check PAIR LED status)

TIP: Power on slave module before Master one for fast pairing