Delphi SQL protection


I have a delphi client MySql LOGIN. I am using AnyDAC to manage this.

Now, it all works well, but id like it to be secure. I am well aware security issues and also understand it would be more secure to handle my login via php. However, my project will not work this way.

I dont want scriptkiddies loading my login client and running a sniffer or any kid of applications tools to intercept login details from client to MySQL server.

I need some sort of secure coding code, i can out in. One that not only, protects data being sent, but also writes it as a "salted" or encrypted password on the SQL database, so not even admins can see it.

In other words, i want it to write them into database exactlly how PHP does it, so passwords can't be seen or sniffed.

The following is my loginscript using ANYDAC components.

procedure TForm1.Button1Click(Sender: TObject);
  Flag: Boolean;
  ADConnection1.Params.Values['User_Name']:= username.text;
  ADConnection1.Params.Values['Password']:= password.text;
      ShowMessage('Username or Password Incorrect');

  if Flag then


Open in new window

Who is Participating?
CodedKConnect With a Mentor Commented:
Hi Plesk.

SSL is supported from the last version.
Its "Spring 2010" not "Spring 2009" this is an error on RemObject webpage.

Anyway SSL is not necessarily needed (though its the best option) with AnyDAC since the code transmission is encrypted anyway...

You have to consider two things only...Since the code is stored inside your application.

1) Reversing your application or even with some hex editing will expose your code !
2) Sniffing network packets would also reveal several info.

So first, you'll have to encrypt your code for the database.
Don't just keep it in a string within your code.

Second. With an application like WireShark you can see the packets that your application sends to the server. Everything is visible now (queries, responses from the server etc).
But the code is not visible.
AnyDAC encrypts the transmission but this doesn't mean that the rest is not a vulnerability.
SSL is the way to go.

For the first case see my PAQ here :

In this question several ways to protect an application are mentioned.

Write your own function to encrypt and decrypt strings within your code.
And then store the code like this :

AdConnection1.Params.Values['Database'] := Decrypt(@#sddsjhg).
AdConnection1.Params.Values['Password']:= Decrypt(@#FK*$);

Check here a simple encrypt / decrypt function.

Of course there are several free components that will allow you to encrypt/ decrypt or even hash
with AES, BlowFish , SHA, MD5...

Then protect your application with a good packer.
See also the comments in the PAQ I posted above, about protecting the application with your own code.

Hope this helps.
Ioannis AnifantakisSoftware EngineerCommented:
1) So you want to use SSL over your Database connection at the time your system logs in the database?
2) Your application is about to run on the internet?
Ioannis AnifantakisSoftware EngineerCommented:
AnyDAC supports SSL since version 2.0.17 Build .1267 - (Spring 2009), so your connection components support this functionality anyway and you can deal with it, with the available connector component's properties.

Now take a look on this information regarding SSL and MySQL

Additionally you will find very useful the Devart components for mysql
You can encrypt out data and decrypt in data.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.