<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle28
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:210725364;
mso-list-type:hybrid;
mso-list-template-ids:255104746 336134145 336134147 336134149 336134145 336134147 336134149 336134145 336134147 336134149;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-NZ" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi John<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">You need to understand what you are trying to protect before rushing to code. Three immediate points that come to mind are:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">You are using a deprecated hashing algorithm, google “MD5 security” to find a better alternative<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">You have your hashing routine on the client where any threat agent can play with it, which kind of defeats the effort. You should also google “crypto salt” to see the type of thing you need to be doing
if you want to use a hash (which should not be exposed at the browser / JS level).<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Finally HTTPS is a must if you are sending sensitive info such as user passwords across the wire. Modern browsers will enforce this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">D<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">P.S. is this homework, or a commercial project ?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="357" valign="top" style="width:267.65pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F">David Moorhouse (BCom)</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F"> |
<b>Principal Software Engineer - HealthOne</b><br>
Pegasus Health (Charitable) Ltd </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F">P: 03 353 0871 | W: </span><span style="color:#1F497D"><a href="http://www.pegasus.org.nz/"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F">www.pegasus.org.nz</span></a></span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F"> <br>
E: </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><a href="mailto:david.moorhouse@pegasus.org.nz"><span style="color:blue">david.moorhouse@pegasus.org.nz</span></a></span><u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F"><br>
</span></u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F">PO Box 741, Christchurch 8140<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#47678F">401 Madras St, Christchurch 8013</span><b><span style="color:#47678F;mso-fareast-language:EN-US"><o:p></o:p></span></b></p>
</td>
<td width="259" valign="top" style="width:194.45pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="color:#1F497D"><img border="0" width="240" height="76" id="Picture_x0020_1" src="cid:image001.jpg@01D438AA.82A20900" alt="cid:image003.jpg@01CEE516.6F544D00"></span><b><span style="color:#47678F;mso-fareast-language:EN-US"><o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> delphi-bounces@listserver.123.net.nz [mailto:delphi-bounces@listserver.123.net.nz]
<b>On Behalf Of </b>jc@magicweb.nz<br>
<b>Sent:</b> Monday, 20 August 2018 5:07 p.m.<br>
<b>To:</b> 'NZ Borland Developers Group - Delphi List'<br>
<b>Subject:</b> Re: [DUG] How to make secure MySQL<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">Hi all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I think I found a solution for this encrypting BEFORE sending a password and username to the server. The following code encrypts the password (using md5) before it is POSTed to the server. Any good?<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Or is this whole scenario covered by an SSL Certification module?<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">John C <o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">------------------------------------------------------------------------<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">CODE<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">------------------------------------------------------------------------<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><html><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><head><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><script src="md5.js" language="javascript" > alert("md5.js script loaded"); </script><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><script language="javascript" type="text/javascript"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><!--<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">function doLogin()<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">{<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> document.formname.hash.value=MD5(document.formname.password.value);<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> document.formname.password.value = "";<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> document.formname.submit();<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">}<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">// --><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"></script><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><form name="formname" method="GET" action="somefile.php" ><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Username<input type="text" name="username" size="9" maxlength="15"> Password<input type="password" name="password" value="" size="9" maxlength="70"> <input onClick="doLogin(); return true;" type="submit" value="Login">
<input type="hidden" name="hash" value=""><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"></form><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"></body><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"></html><o:p></o:p></span></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0cm;margin-right:36.0pt;margin-bottom:5.0pt;margin-left:36.0pt">
<span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<P><FONT color=#47678f size=2
face=Arial>*****************************************************</FONT></P>
<P><FONT color=#47678f size=2 face=Arial>This email or attachment(s) may contain
confidential or legally privileged information intended for the sole use of the
addressee(s). Any use, redistribution, disclosure, or reproduction of this
message, except as intended, is prohibited. If you received this email in error,
please notify the sender and erase all copies of the message, including any
attachments.</FONT></P>
<P><FONT color=#47678f size=2 face=Arial>Any views or opinions expressed in this
email (unless otherwise stated) may not represent those of Pegasus Health
Ltd.</FONT></P>
<P><FONT color=#47678f size=2
face=Arial>**********************************************************</FONT></P>
</body>
</html>