[DUG] How to make secure MySQL

David Moorhouse David.Moorhouse at pegasus.org.nz
Mon Aug 20 17:23:30 NZST 2018 

Hi John

You need to understand what you are trying to protect before rushing to code.  Three immediate points that come to mind are:

·         You are using a deprecated hashing algorithm, google “MD5 security” to find a better alternative

·         You have your hashing routine on the client where any threat agent can play with it, which kind of defeats the effort.  You should also google “crypto salt” to see the type of thing you need to be doing if you want to use a hash (which should not be exposed at the browser / JS level).

·         Finally HTTPS is a must if you are sending sensitive info such as user passwords across the wire.  Modern browsers will enforce this.

Cheers

D

P.S. is this homework, or a commercial project ?

David Moorhouse (BCom) | Principal Software Engineer - HealthOne
Pegasus Health (Charitable) Ltd
P: 03 353 0871 |   W:  www.pegasus.org.nz<http://www.pegasus.org.nz/>
E: david.moorhouse at pegasus.org.nz<mailto:david.moorhouse at pegasus.org.nz>
PO Box 741, Christchurch 8140
401 Madras St, Christchurch 8013

[cid:image003.jpg at 01CEE516.6F544D00]



From: delphi-bounces at listserver.123.net.nz [mailto:delphi-bounces at listserver.123.net.nz] On Behalf Of jc at magicweb.nz
Sent: Monday, 20 August 2018 5:07 p.m.
To: 'NZ Borland Developers Group - Delphi List'
Subject: Re: [DUG] How to make secure MySQL

Hi all


I think I found a solution for this encrypting BEFORE sending a password and username to the server. The following code encrypts the password (using md5) before it is POSTed to the server. Any good?



Or is this whole scenario covered by an SSL Certification module?



John C



------------------------------------------------------------------------

CODE

------------------------------------------------------------------------



<html>

<head>



<script src="md5.js" language="javascript" > alert("md5.js script loaded"); </script>



<script language="javascript" type="text/javascript">

<!--



function doLogin()

{

  document.formname.hash.value=MD5(document.formname.password.value);

  document.formname.password.value = "";

  document.formname.submit();

}



// -->

</script>



<form name="formname" method="GET" action="somefile.php" >



Username<input type="text" name="username" size="9" maxlength="15"> Password<input type="password" name="password" value="" size="9" maxlength="70"> <input onClick="doLogin(); return true;" type="submit" value="Login"> <input type="hidden" name="hash" value="">



</form>



</body>

</html>




********************************************************************************
This email or attachment(s) may contain confidential or legally privileged 
information intended for the sole use of the addressee(s). Any use, redistribution, 
disclosure, or reproduction of this message, except as intended, is prohibited. 
If you received this email in error, please notify the sender and erase all 
copies of the message, including any attachments.

Any views or opinions expressed in this email (unless otherwise stated) may not 
represent those of Pegasus Health Ltd.

********************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20180820/d37f195b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3614 bytes
Desc: image001.jpg
Url : http://listserver.123.net.nz/pipermail/delphi/attachments/20180820/d37f195b/attachment-0001.jpg

More information about the Delphi mailing list