Delphi SQL protection

Greetings!

I have a delphi client MySql LOGIN. I am using AnyDAC to manage this.

Now, it all works well, but id like it to be secure. I am well aware security issues and also understand it would be more secure to handle my login via php. However, my project will not work this way.

I dont want scriptkiddies loading my login client and running a sniffer or any kid of applications tools to intercept login details from client to MySQL server.

I need some sort of secure coding code, i can out in. One that not only, protects data being sent, but also writes it as a "salted" or encrypted password on the SQL database, so not even admins can see it.

In other words, i want it to write them into database exactlly how PHP does it, so passwords can't be seen or sniffed.

The following is my loginscript using ANYDAC components.


procedure TForm1.Button1Click(Sender: TObject);
var
  Flag: Boolean;
begin
  Flag:=True;
  ADConnection1.Params.Values['User_Name']:= username.text;
  ADConnection1.Params.Values['Password']:= password.text;
  Try
    ADConnection1.Connected:=True;
  Except
    begin
      ShowMessage('Username or Password Incorrect');
      Flag:=False;
    end;
  End;

  if Flag then
  begin
    form2.show;
    form1.Hide;
    form2.Label3.caption:=(form1.username.text);
  end;  
end;

end.

Open in new window

PleskAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ioannis AnifantakisProgramming InstructorCommented:
1) So you want to use SSL over your Database connection at the time your system logs in the database?
2) Your application is about to run on the internet?
0
Ioannis AnifantakisProgramming InstructorCommented:
AnyDAC supports SSL since version 2.0.17 Build .1267 - (Spring 2009), so your connection components support this functionality anyway and you can deal with it, with the available connector component's properties.

Now take a look on this information regarding SSL and MySQL
http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html

Additionally you will find very useful the Devart components for mysql
http://www.devart.com/dac.html
0
Mahdi78Commented:
You can encrypt out data and decrypt in data.
0
CodedKCommented:
Hi Plesk.

SSL is supported from the last version.
Its "Spring 2010" not "Spring 2009" this is an error on RemObject webpage.

Anyway SSL is not necessarily needed (though its the best option) with AnyDAC since the code transmission is encrypted anyway...

You have to consider two things only...Since the code is stored inside your application.

1) Reversing your application or even with some hex editing will expose your code !
2) Sniffing network packets would also reveal several info.

So first, you'll have to encrypt your code for the database.
Don't just keep it in a string within your code.

Second. With an application like WireShark you can see the packets that your application sends to the server. Everything is visible now (queries, responses from the server etc).
But the code is not visible.
AnyDAC encrypts the transmission but this doesn't mean that the rest is not a vulnerability.
SSL is the way to go.


For the first case see my PAQ here :
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_25090311.html

In this question several ways to protect an application are mentioned.

Write your own function to encrypt and decrypt strings within your code.
And then store the code like this :

AdConnection1.Params.Values['Database'] := Decrypt(@#sddsjhg).
AdConnection1.Params.Values['Password']:= Decrypt(@#FK*$);

Check here a simple encrypt / decrypt function.
http://www.delphifaq.com/faq/delphi/strings/f95.shtml

Of course there are several free components that will allow you to encrypt/ decrypt or even hash
with AES, BlowFish , SHA, MD5...

Then protect your application with a good packer.
See also the comments in the PAQ I posted above, about protecting the application with your own code.

Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Delphi

From novice to tech pro — start learning today.