How should I manage user information?

[Cory94bailly]

I have a program (made in Visual Basic) and I want to check if the user IS who they say they are..

 

I want to check their username/password, their IP address, and their hdd serial.

 

How should I do the connection(s) and everything?

 

 

First I want them to put in their username/password, it checks in with mysql, then if their hdd serial is not in the db yet, I want to alert them that it will be the one in the database.. If they say yes, I want it to insert their current serial, if they decline, it just closes the program..

 

Now if their hdd serial IS in the db already, I first want to check the user's username/password, their IP, then the serial..

 

If the username/pass are right but the ip and/or serial are not the same as the info in the db, I want to lock the account and warn the user.

 

 

Now how would I go into doing all this?

 

I can connect straight from the program to a mysql database and put in queries to run.. What should I do from there?

 

I was thinking $_GET variables and having the program check the code(s) that the site outputs.

 

 

Thanks for any information.

 

(Sorry if I posted in the wrong spot, please move it if I did..)

[corbin]

Without getting further details and actually trying to help, I have to get the obvious out of the way...

 

 

You do realize that your design will never work, yes?  It would be easy to spoof a HDD serial.  But anyway, the program should definitely not connect straight to MySQL.  It should have some kind of gateway, sort of like an API of sorts.  You could use a simple PHP script, or you could write a program in C/Java/whatever that is just a simple socket server that listens for commands.

 

 

 

[Cory94bailly]

Without getting further details and actually trying to help, I have to get the obvious out of the way...

 

 

You do realize that your design will never work, yes?  It would be easy to spoof a HDD serial.  But anyway, the program should definitely not connect straight to MySQL.  It should have some kind of gateway, sort of like an API of sorts.  You could use a simple PHP script, or you could write a program in C/Java/whatever that is just a simple socket server that listens for commands.

 

Well right now, I have a php script setup to do like login.php?logincheck=1&username=UserName&password=PassWord and the script says either 1 or nothing at all.. I was thinking of having the program get the source of the site and if it is equal to "1", it will keep running..

 

And by spoof, do you mean make it a random one or make it the exact same as somebody else's?

 

If you mean random, the user would never get access to the program then..

 

If they can make it the exact same, they would also need to same EXACT ip address and need to get the username/password right..

 

I only know how to code in VB.net (Visual Basic)..

 

There is an addon to make it connect to the db directly and send/receive commands..

 

 

Also, I really would love to have the program connect DIRECTLY to the server with a server-side program (Written in C++ or C# or whatever..) but I don't know those languages (yet) and with my luck, I would probably leave a huge security hole..

 

Does anybody have suggestions/examples for server-side checking scripts?

[corbin]

What I meant by spoof was this:

 

 

If you're trying to bind to a hardware ID, obviously you want it limited to one computer.  What if someone behind a router has two computers (hence the same IP, and he/she would know the username/password), and he/she spoofs the hardware ID on one of them?  You would be getting cheated out of a computer.

 

 

 

Your PHP script way should essentially have the same effect...  But err...

 

 

A server side program connect to the server?  Do you mean have a daemon on the server that has a sole purpose of listening from auth requests?  That shouldn't be too hard to code in any language unless you plan on going full out and making it mutlithreaded with a threadpool, thread management and so on.