<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I recommend you take a look at the
OWASP site
<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project</a> to
get a better idea of what you need to be concentrating on. There
are loads of other resources on that site to help gain a better
understanding of what you are up against.<br>
Use a pre-rolled javascript library to handle the client side.
And a well understood and supported server side library.<br>
<br>
Asking a series of questions on a low frequency message list is a
slow way of building knowledge.<br>
<br>
Good luck<br>
<br>
David<br>
<br>
<br>
<br>
On 20/08/18 17:40, <a class="moz-txt-link-abbreviated" href="mailto:jc@magicweb.nz">jc@magicweb.nz</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:001c01d43848$4cc66c20$e6534460$@magicweb.nz">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:210725364;
mso-list-type:hybrid;
mso-list-template-ids:255104746 336134145 336134147 336134149 336134145 336134147 336134149 336134145 336134147 336134149;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">Hi
David<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">Thanks
for your comment.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">You
wrote:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ">HTTPS is a must if you are sending sensitive
info such as user passwords across the wire. Modern
browsers will enforce this.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ">Does that mean that HTPS is taking care of this
issue?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ">FYI: yes, it is a commercial project <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"
lang="EN-NZ">John<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:delphi-bounces@listserver.123.net.nz">delphi-bounces@listserver.123.net.nz</a>
<a class="moz-txt-link-rfc2396E" href="mailto:delphi-bounces@listserver.123.net.nz"><delphi-bounces@listserver.123.net.nz></a> <b>On Behalf
Of </b>David Moorhouse<br>
<b>Sent:</b> Monday, 20 August 2018 5:24 PM<br>
<b>To:</b> NZ Borland Developers Group - Delphi List
<a class="moz-txt-link-rfc2396E" href="mailto:delphi@listserver.123.net.nz"><delphi@listserver.123.net.nz></a><br>
<b>Subject:</b> Re: [DUG] How to make secure MySQL<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ">Hi
John<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ">You
need to understand what you are trying to protect before
rushing to code. Three immediate points that come to mind
are:<o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0cm;mso-list:l0 level1
lfo2"><span lang="EN-NZ">You are using a deprecated hashing
algorithm, google “MD5 security” to find a better
alternative<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0cm;mso-list:l0 level1
lfo2"><span lang="EN-NZ">You have your hashing routine on
the client where any threat agent can play with it, which
kind of defeats the effort. You should also google
“crypto salt” to see the type of thing you need to be
doing if you want to use a hash (which should not be
exposed at the browser / JS level).<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0cm;mso-list:l0 level1
lfo2"><span lang="EN-NZ">Finally HTTPS is a must if you are
sending sensitive info such as user passwords across the
wire. Modern browsers will enforce this.<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ">D<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ">P.S.
is this homework, or a commercial project ?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<div>
<table class="MsoNormalTable" style="border-collapse:collapse"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="width:267.65pt;padding:0cm 5.4pt 0cm 5.4pt"
width="357" valign="top">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">David
Moorhouse (BCom)</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">
| <b>Principal Software Engineer - HealthOne</b><br>
Pegasus Health (Charitable) Ltd <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">P:
03 353 0871 | W: </span><span
style="color:#1F497D"><a
href="http://www.pegasus.org.nz/"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">www.pegasus.org.nz</span></a></span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"> <br>
E: </span><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D"><a
href="mailto:david.moorhouse@pegasus.org.nz"
moz-do-not-send="true"><span style="color:blue">david.moorhouse@pegasus.org.nz</span></a></span><u><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"><br>
</span></u><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">PO
Box 741, Christchurch 8140<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F">401
Madras St, Christchurch 8013</span><b><span
style="color:#47678F"><o:p></o:p></span></b></p>
</td>
<td style="width:194.45pt;padding:0cm 5.4pt 0cm 5.4pt"
width="259" valign="top">
<p class="MsoNormal"><span style="color:#1F497D"><img
style="width:2.5in;height:.7916in"
id="Picture_x0020_1"
src="cid:part3.71442022.2D571E91@moorhouse.net.nz"
alt="cid:image003.jpg@01CEE516.6F544D00"
class="" width="240" height="76" border="0"></span><b><span
style="color:#47678F"><o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-NZ"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> <a
href="mailto:delphi-bounces@listserver.123.net.nz"
moz-do-not-send="true">delphi-bounces@listserver.123.net.nz</a>
[<a href="mailto:delphi-bounces@listserver.123.net.nz"
moz-do-not-send="true">mailto:delphi-bounces@listserver.123.net.nz</a>]
<b>On Behalf Of </b><a href="mailto:jc@magicweb.nz"
moz-do-not-send="true">jc@magicweb.nz</a><br>
<b>Sent:</b> Monday, 20 August 2018 5:07 p.m.<br>
<b>To:</b> 'NZ Borland Developers Group - Delphi List'<br>
<b>Subject:</b> Re: [DUG] How to make secure MySQL<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-NZ"><o:p> </o:p></span></p>
<p class="MsoNormal">Hi all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">I think I found a solution for this
encrypting BEFORE sending a password and username to the
server. The following code encrypts the password (using md5)
before it is POSTed to the server. Any good?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Or is this whole scenario covered by an
SSL Certification module?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">John C <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">------------------------------------------------------------------------<o:p></o:p></p>
<p class="MsoPlainText">CODE<o:p></o:p></p>
<p class="MsoPlainText">------------------------------------------------------------------------<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><html><o:p></o:p></p>
<p class="MsoPlainText"><head><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><script src="md5.js"
language="javascript" > alert("md5.js script loaded");
</script><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><script language="javascript"
type="text/javascript"><o:p></o:p></p>
<p class="MsoPlainText"><!--<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">function doLogin()<o:p></o:p></p>
<p class="MsoPlainText">{<o:p></o:p></p>
<p class="MsoPlainText">
document.formname.hash.value=MD5(document.formname.password.value);<o:p></o:p></p>
<p class="MsoPlainText"> document.formname.password.value = "";<o:p></o:p></p>
<p class="MsoPlainText"> document.formname.submit();<o:p></o:p></p>
<p class="MsoPlainText">}<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">// --><o:p></o:p></p>
<p class="MsoPlainText"></script><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><form name="formname" method="GET"
action="somefile.php" ><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Username<input type="text"
name="username" size="9" maxlength="15"> Password<input
type="password" name="password" value="" size="9"
maxlength="70"> <input onClick="doLogin(); return true;"
type="submit" value="Login"> <input type="hidden"
name="hash" value=""><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"></form><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"></body><o:p></o:p></p>
<p class="MsoPlainText"></html><o:p></o:p></p>
<p class="MsoPlainText"
style="mso-margin-top-alt:0cm;margin-right:36.0pt;margin-bottom:5.0pt;margin-left:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"
lang="EN-NZ">*****************************************************</span><span
lang="EN-NZ"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"
lang="EN-NZ">This email or attachment(s) may contain
confidential or legally privileged information intended for
the sole use of the addressee(s). Any use, redistribution,
disclosure, or reproduction of this message, except as
intended, is prohibited. If you received this email in
error, please notify the sender and erase all copies of the
message, including any attachments.</span><span lang="EN-NZ"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"
lang="EN-NZ">Any views or opinions expressed in this email
(unless otherwise stated) may not represent those of Pegasus
Health Ltd.</span><span lang="EN-NZ"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#47678F"
lang="EN-NZ">**********************************************************</span><span
lang="EN-NZ"><o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: <a class="moz-txt-link-abbreviated" href="mailto:delphi@listserver.123.net.nz">delphi@listserver.123.net.nz</a>
Admin: <a class="moz-txt-link-freetext" href="http://delphi.org.nz/mailman/listinfo/delphi">http://delphi.org.nz/mailman/listinfo/delphi</a>
Unsubscribe: send an email to <a class="moz-txt-link-abbreviated" href="mailto:delphi-request@listserver.123.net.nz">delphi-request@listserver.123.net.nz</a> with Subject: unsubscribe</pre>
</blockquote>
<p><br>
</p>
</body>
</html>