<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:210725364;
mso-list-type:hybrid;
mso-list-template-ids:255104746 336134145 336134147 336134149 336134145 336134147 336134149 336134145 336134147 336134149;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>Hi David<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>Thanks for your comment.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>You wrote:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:18.0pt'><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>HTTPS is a must if you are sending sensitive info such as user passwords across the wire. Modern browsers will enforce this.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>Does that mean that HTPS is taking care of this issue?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>FYI: yes, it is a commercial project <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%'>John<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> delphi-bounces@listserver.123.net.nz <delphi-bounces@listserver.123.net.nz> <b>On Behalf Of </b>David Moorhouse<br><b>Sent:</b> Monday, 20 August 2018 5:24 PM<br><b>To:</b> NZ Borland Developers Group - Delphi List <delphi@listserver.123.net.nz><br><b>Subject:</b> Re: [DUG] How to make secure MySQL<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'>Hi John<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'>You need to understand what you are trying to protect before rushing to code. Three immediate points that come to mind are:<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='color:#1F497D;margin-left:0cm;mso-list:l0 level1 lfo2'><span lang=EN-NZ>You are using a deprecated hashing algorithm, google “MD5 security” to find a better alternative<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1F497D;margin-left:0cm;mso-list:l0 level1 lfo2'><span lang=EN-NZ>You have your hashing routine on the client where any threat agent can play with it, which kind of defeats the effort. You should also google “crypto salt” to see the type of thing you need to be doing if you want to use a hash (which should not be exposed at the browser / JS level).<o:p></o:p></span></li><li class=MsoListParagraph style='color:#1F497D;margin-left:0cm;mso-list:l0 level1 lfo2'><span lang=EN-NZ>Finally HTTPS is a must if you are sending sensitive info such as user passwords across the wire. Modern browsers will enforce this.<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'>Cheers<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'>D<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'>P.S. is this homework, or a commercial project ?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td width=357 valign=top style='width:267.65pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>David Moorhouse (BCom)</span></b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'> | <b>Principal Software Engineer - HealthOne</b><br>Pegasus Health (Charitable) Ltd <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>P: 03 353 0871 | W: </span><span style='color:#1F497D'><a href="http://www.pegasus.org.nz/"><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>www.pegasus.org.nz</span></a></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'> <br>E: </span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'><a href="mailto:david.moorhouse@pegasus.org.nz"><span style='color:blue'>david.moorhouse@pegasus.org.nz</span></a></span><u><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'><br></span></u><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>PO Box 741, Christchurch 8140<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>401 Madras St, Christchurch 8013</span><b><span style='color:#47678F'><o:p></o:p></span></b></p></td><td width=259 valign=top style='width:194.45pt;padding:0cm 5.4pt 0cm 5.4pt'><p class=MsoNormal><span style='color:#1F497D'><img border=0 width=240 height=76 style='width:2.5in;height:.7916in' id="Picture_x0020_1" src="cid:image001.jpg@01D438AC.C3F37630" alt="cid:image003.jpg@01CEE516.6F544D00"></span><b><span style='color:#47678F'><o:p></o:p></span></b></p></td></tr></table><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-NZ style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> <a href="mailto:delphi-bounces@listserver.123.net.nz">delphi-bounces@listserver.123.net.nz</a> [<a href="mailto:delphi-bounces@listserver.123.net.nz">mailto:delphi-bounces@listserver.123.net.nz</a>] <b>On Behalf Of </b><a href="mailto:jc@magicweb.nz">jc@magicweb.nz</a><br><b>Sent:</b> Monday, 20 August 2018 5:07 p.m.<br><b>To:</b> 'NZ Borland Developers Group - Delphi List'<br><b>Subject:</b> Re: [DUG] How to make secure MySQL<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-NZ><o:p> </o:p></span></p><p class=MsoNormal>Hi all<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText>I think I found a solution for this encrypting BEFORE sending a password and username to the server. The following code encrypts the password (using md5) before it is POSTed to the server. Any good?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Or is this whole scenario covered by an SSL Certification module?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>John C <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>------------------------------------------------------------------------<o:p></o:p></p><p class=MsoPlainText>CODE<o:p></o:p></p><p class=MsoPlainText>------------------------------------------------------------------------<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><html><o:p></o:p></p><p class=MsoPlainText><head><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><script src="md5.js" language="javascript" > alert("md5.js script loaded"); </script><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><script language="javascript" type="text/javascript"><o:p></o:p></p><p class=MsoPlainText><!--<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>function doLogin()<o:p></o:p></p><p class=MsoPlainText>{<o:p></o:p></p><p class=MsoPlainText> document.formname.hash.value=MD5(document.formname.password.value);<o:p></o:p></p><p class=MsoPlainText> document.formname.password.value = "";<o:p></o:p></p><p class=MsoPlainText> document.formname.submit();<o:p></o:p></p><p class=MsoPlainText>}<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>// --><o:p></o:p></p><p class=MsoPlainText></script><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><form name="formname" method="GET" action="somefile.php" ><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Username<input type="text" name="username" size="9" maxlength="15"> Password<input type="password" name="password" value="" size="9" maxlength="70"> <input onClick="doLogin(); return true;" type="submit" value="Login"> <input type="hidden" name="hash" value=""><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText></form><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText></body><o:p></o:p></p><p class=MsoPlainText></html><o:p></o:p></p><p class=MsoPlainText style='mso-margin-top-alt:0cm;margin-right:36.0pt;margin-bottom:5.0pt;margin-left:36.0pt'><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p><span lang=EN-NZ style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>*****************************************************</span><span lang=EN-NZ><o:p></o:p></span></p><p><span lang=EN-NZ style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>This email or attachment(s) may contain confidential or legally privileged information intended for the sole use of the addressee(s). Any use, redistribution, disclosure, or reproduction of this message, except as intended, is prohibited. If you received this email in error, please notify the sender and erase all copies of the message, including any attachments.</span><span lang=EN-NZ><o:p></o:p></span></p><p><span lang=EN-NZ style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>Any views or opinions expressed in this email (unless otherwise stated) may not represent those of Pegasus Health Ltd.</span><span lang=EN-NZ><o:p></o:p></span></p><p><span lang=EN-NZ style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F'>**********************************************************</span><span lang=EN-NZ><o:p></o:p></span></p></div></body></html>