[DUG] How to make secure MySQL

David Moorhouse delphi at moorhouse.net.nz
Mon Aug 20 19:37:19 NZST 2018 

I recommend you take a look at the OWASP site 
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project to get a 
better idea of what you need to be concentrating on.  There are loads of 
other resources on that site to help gain a better understanding of what 
you are up against.
Use a pre-rolled javascript library to handle the client side. And a 
well understood and supported server side library.

Asking a series of questions on a low frequency message list is a slow 
way of building knowledge.

Good luck

David



On 20/08/18 17:40, jc at magicweb.nz wrote:
>
> Hi David
>
> Thanks for your comment.
>
> You wrote:
>
> HTTPS is a must if you are sending sensitive info such as user 
> passwords across the wire.  Modern browsers will enforce this.
>
> Does that mean that HTPS is taking care of this issue?
>
> FYI: yes, it is a commercial project
>
> John
>
> *From:* delphi-bounces at listserver.123.net.nz 
> <delphi-bounces at listserver.123.net.nz> *On Behalf Of *David Moorhouse
> *Sent:* Monday, 20 August 2018 5:24 PM
> *To:* NZ Borland Developers Group - Delphi List 
> <delphi at listserver.123.net.nz>
> *Subject:* Re: [DUG] How to make secure MySQL
>
> Hi John
>
> You need to understand what you are trying to protect before rushing 
> to code.  Three immediate points that come to mind are:
>
>   * You are using a deprecated hashing algorithm, google “MD5
>     security” to find a better alternative
>   * You have your hashing routine on the client where any threat agent
>     can play with it, which kind of defeats the effort.  You should
>     also google “crypto salt” to see the type of thing you need to be
>     doing if you want to use a hash (which should not be exposed at
>     the browser / JS level).
>   * Finally HTTPS is a must if you are sending sensitive info such as
>     user passwords across the wire.  Modern browsers will enforce this.
>
> Cheers
>
> D
>
> P.S. is this homework, or a commercial project ?
>
> *David Moorhouse (BCom)*| *Principal Software Engineer - HealthOne*
> Pegasus Health (Charitable) Ltd
>
> P: 03 353 0871 |   W: www.pegasus.org.nz <http://www.pegasus.org.nz/>
> E: david.moorhouse at pegasus.org.nz <mailto:david.moorhouse at pegasus.org.nz>_
> _PO Box 741, Christchurch 8140
>
> 401 Madras St, Christchurch 8013**
>
> 	
>
> cid:image003.jpg at 01CEE516.6F544D00**
>
> *From:*delphi-bounces at listserver.123.net.nz 
> <mailto:delphi-bounces at listserver.123.net.nz> 
> [mailto:delphi-bounces at listserver.123.net.nz] *On Behalf Of 
> *jc at magicweb.nz <mailto:jc at magicweb.nz>
> *Sent:* Monday, 20 August 2018 5:07 p.m.
> *To:* 'NZ Borland Developers Group - Delphi List'
> *Subject:* Re: [DUG] How to make secure MySQL
>
> Hi all
>
> I think I found a solution for this encrypting BEFORE sending a 
> password and username to the server. The following code encrypts the 
> password (using md5) before it is POSTed to the server. Any good?
>
> Or is this whole scenario covered by an SSL Certification module?
>
> John C
>
> ------------------------------------------------------------------------
>
> CODE
>
> ------------------------------------------------------------------------
>
> <html>
>
> <head>
>
> <script src="md5.js" language="javascript" > alert("md5.js script 
> loaded"); </script>
>
> <script language="javascript" type="text/javascript">
>
> <!--
>
> function doLogin()
>
> {
>
> document.formname.hash.value=MD5(document.formname.password.value);
>
>   document.formname.password.value = "";
>
>   document.formname.submit();
>
> }
>
> // -->
>
> </script>
>
> <form name="formname" method="GET" action="somefile.php" >
>
> Username<input type="text" name="username" size="9" maxlength="15"> 
> Password<input type="password" name="password" value="" size="9" 
> maxlength="70"> <input onClick="doLogin(); return true;" type="submit" 
> value="Login"> <input type="hidden" name="hash" value="">
>
> </form>
>
> </body>
>
> </html>
>
> *****************************************************
>
> This email or attachment(s) may contain confidential or legally 
> privileged information intended for the sole use of the addressee(s). 
> Any use, redistribution, disclosure, or reproduction of this message, 
> except as intended, is prohibited. If you received this email in 
> error, please notify the sender and erase all copies of the message, 
> including any attachments.
>
> Any views or opinions expressed in this email (unless otherwise 
> stated) may not represent those of Pegasus Health Ltd.
>
> **********************************************************
>
>
>
> _______________________________________________
> NZ Borland Developers Group - Delphi mailing list
> Post: delphi at listserver.123.net.nz
> Admin: http://delphi.org.nz/mailman/listinfo/delphi
> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with Subject: unsubscribe


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20180820/dc05a9c6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3614 bytes
Desc: not available
Url : http://listserver.123.net.nz/pipermail/delphi/attachments/20180820/dc05a9c6/attachment-0001.jpg

More information about the Delphi mailing list