Jump to content

irigsoft

uniGUI Subscriber
 View Profile  See their activity

  • Posts

    1371

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by irigsoft

  1. irigsoft
    This is with loginform: Project1_LoginForm.zip
  2. irigsoft
    Project1.zip Simple, without login form just replace values in uniEditUser.text and uniEditPass.Text with '123' Click to button must show results in (replaced) text fields Please try It without login form and return feedback.
  3. irigsoft
    I will try.
  4. irigsoft
    do You have components with names username and userpassword ?
  5. irigsoft
    I don't know the correct name of the Edit field for a username in the login form. I see in your sql code, you gave as an example that you use to enter username uniEdit1. In my code I use uniEditUser as my username (not with that name in your login form). So take the correct name of your login form and use it in this procedure to replace uniEditUser and uniEditpass with the correct component name. If you component name for username is uniEdit1 and for pass is uniEdit2 This code will be correct: procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin // Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName(UniEdit1.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEdit1.Name + '=' + UniEdit1.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[UniEdit1.Name] := UniEdit1.JSName; if UniServerModule.ProtectDataList.IndexOfName(UniEdit2.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEdit2.Name + '=' + UniEdit2.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[UniEdit2.Name] := UniEdit2.JSName; end;
  6. irigsoft
    Sorry for this confusion: You need to replace uniEditUser with uniEdi1 and uniEditPass with uniEdit2 . This code is correct after replace them: procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin // Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName(UniEdit1.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEdit1.Name + '=' + UniEdit1.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[UniEdit1.Name] := UniEdit1.JSName; if UniServerModule.ProtectDataList.IndexOfName(UniEdit2.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEdit2.Name + '=' + UniEdit2.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[UniEdit2.Name] := UniEdit2.JSName; end;
  7. irigsoft
    Try to replace in this procedure uniEditUser and uniEditPass with component for User and Pass from loginform procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin // Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName; if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName; end; In Your SQL code You use UniEdit1 and UniEdit2 "UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (admin_id =' + chr(39) + UniEdit2.Text + chr(39) + ') and (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')'; UniQuery1.Open;"
  8. irigsoft
    Hi, I see that in Your code, You use UniEditUser for Username, but that is not right in LoginForm. Maybe You must replace UniEditUser with correct component. I make test with empty uniGui project and just add this uniEdit field: UniEditUser and UniEditPass, they are not user name and password from loginform. This is possible reason ! Try to replace in this procedure uniEditUser and uniEditPass with component for User and Pass from loginform procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin // Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName; if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName; end; In Your SQL code You use UniEdit1 and UniEdit2 "UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (admin_id =' + chr(39) + UniEdit2.Text + chr(39) + ') and (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')'; UniQuery1.Open;"
  9. irigsoft
    .
  10. irigsoft
    Yes, that's all and it's right. If there is no effect, it may be better for @Sherzod or another member of the uniGui team to help with this I see in the Google chrome console, the file in which the function for filling in the values is performed and maybe something needs to be changed in the file.
  11. irigsoft
    this is all : All procedure move from TUniServerModule.UniGUIServerModuleHTTPCommand to TUniMainModule.UniGUIMainModuleHandleRequest uses uniGUIJSUtils , HTTPApp; procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); var sUser, sPass, fpName,fpValue, fpCompName, s : String; I,J : Integer; sAjaxValues, sRefererValues : TStringList; REQ : TIdHTTPRequestInfo; // uIdCustomHTTPServer begin Try //replace ARequestInfo with TUniGUISession(ASession).ARequest //If (sSessionID <> '') If (POS ('_fp_',TUniGUISession(ASession).ARequest.UnparsedParams)> 0) AND (UniServerModule.ProtectDataList.Count > 0) then begin sAjaxValues := TStringList.Create; sAjaxValues.Delimiter := '&'; sAjaxValues.StrictDelimiter := True; sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession).ARequest.UnparsedParams); TRY if (sAjaxValues.IndexOfName ('_fp_') > 0) then begin for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J]; fpName := sAjaxValues.Values[fpCompName]; fpValue := ''; if fpName <> '' then begin for I := Length (fpName) downto 1 do begin case fpName [I] of '%' : begin delete (fpValue,1,2); break; end else fpValue := fpName [I] + fpValue; end; end;//for I sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]); TUniGUISession(ASession).ARequest.Params.Values ['_fp_'] := '&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]; sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]); sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName)); TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText; TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText; end;//If end;//for J end;//If sAjaxValues.Clear; sAjaxValues.Free; EXCEPT END; end;
  12. irigsoft
    Please try with other maner: will use TUniMainModule.UniGUIMainModuleHandleRequest procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); var sUser, sPass, fpName,fpValue, fpCompName, s : String; I,J : Integer; sAjaxValues, sRefererValues : TStringList; REQ : TIdHTTPRequestInfo; // uIdCustomHTTPServer begin Try //replace ARequestInfo with TUniGUISession(ASession).ARequest //If (sSessionID <> '') If (POS ('_fp_',TUniGUISession(ASession).ARequest.UnparsedParams)> 0) AND (UniServerModule.ProtectDataList.Count > 0) then begin sAjaxValues := TStringList.Create; sAjaxValues.Delimiter := '&'; sAjaxValues.StrictDelimiter := True; sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession).ARequest.UnparsedParams); TRY if (sAjaxValues.IndexOfName ('_fp_') > 0) then begin for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J]; fpName := sAjaxValues.Values[fpCompName]; fpValue := ''; if fpName <> '' then begin for I := Length (fpName) downto 1 do begin case fpName [I] of '%' : begin delete (fpValue,1,2); break; end else fpValue := fpName [I] + fpValue; end; end;//for I sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]); TUniGUISession(ASession).ARequest.Params.Values ['_fp_'] := '&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]; sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]); sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName)); TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText; TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText; end;//If end;//for J end;//If sAjaxValues.Clear; sAjaxValues.Free; EXCEPT END; end; I test this two functions in Google chrome console and make memory snapshot. when I use UniGUIServerModuleHTTPCommand, then console show me test value like submittedvalue when i use UniGUIMainModuleHandleRequest , then console show me test value like lastvalue So there are some differenses , and maybe last one funcions will giv You the solution.
  13. irigsoft
    1. Can You try to replace ARequestInfo.UnparsedParams with ARequestInfo.Params.text or ARequestInfo.FormParams ? 2. Also You can try to encrypt ARequestInfo.Username and ARequestInfo.Password in TUniServerModule.UniGUIServerModuleHTTPCommand I add this code: //replace data sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]); //NEW Replace In ARequestInfo.Params ARequestInfo.Params.Values ['_fp_'] := '&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]; sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]); sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName)); //Old code replace data in UnparsedParams ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; //NEW Replace in ARequestInfo.FormParams ARequestInfo.FormParams := sAjaxValues.DelimitedText;
  14. irigsoft
    Thanks, On the web i found many softwares for this purpose (encrypt data from browser), may be unigui can't make this by default.
  15. irigsoft
    "How do you deal with the problem of plaintext?" Replace uniEditValue's with custom javascript hash function on Client Side. Project1.zip and with md5 hash: Project1.zip
  16. irigsoft
    So, resolution is this: uses HTTPApp; // procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject); begin //create list with elements for encriptions ProtectDataList := TStringList.Create; //We can load all names from file with settings ProtectDataList.loadfromFile ('file with names of elements'); end; procedure TForm_General.UniFormReady(Sender: TObject); begin //Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName (UniEditUser.Name) <= 0 then UniServerModule.ProtectDataList.Add (UniEditUser.Name + '=' + UniEditUser.JSName) //add JSName of Element for UserName else UniServerModule.ProtectDataList.Values [UniEditUser.Name] := UniEditUser.JSName; if UniServerModule.ProtectDataList.IndexOfName (UniEditPass.Name) <= 0 then UniServerModule.ProtectDataList.Add (UniEditPass.Name + '=' + UniEditPass.JSName) //add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values [UniEditPass.Name] := UniEditPass.JSName; end; procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); var fpName,fpValue, fpCompName : String; sAjaxValues : TStringList; I,J : Integer; begin // if there is "_ft_" data on request, we will replace everything in it If (POS ('_fp_',ARequestInfo.UnparsedParams)> 0) AND (UniServerModule.ProtectDataList.Count > 0) then begin sAjaxValues := TStringList.Create; //create list with all values from request sAjaxValues.Delimiter := '&'; sAjaxValues.StrictDelimiter := True; sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(ARequestInfo.UnparsedParams); //decode URL data from ARequestInfo TRY if (sAjaxValues.IndexOfName ('_fp_') > 0) then begin //for a list of items for which we want the data to be encrypted for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J]; //get JSName of component in Request fpName := sAjaxValues.Values[fpCompName]; //find data for jsname in Request fpValue := ''; if fpName <> '' then begin for I := Length (fpName) downto 1 do begin case fpName [I] of '%' : begin delete (fpValue,1,2); //delete the last 2 characters, they were always% 02, so if% is found, delete 02 break; end else fpValue := fpName [I] + fpValue; end; end;//for I //replace value for component , 123 is new value of data. This can be replaced with MD5 (fpValue) sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]); sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]); //URL encoded all data for '_fp_' sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName)); ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; //set new values end;//If end;//for J end;//If sAjaxValues.Clear; sAjaxValues.Free; EXCEPT END; end; end; This will replace in Request values in uniEditUser and uniEditPass with '123'. Please send me feedback with third party test results.
  17. irigsoft
    Please declare ProtectDataList as TStringList in Servermodule, public
  18. irigsoft
    Sorry, add to uses clause : uniGUIJSUtils
  19. irigsoft
    Please try it Hi, I make some code for testing. procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); var sSessionID : String; sAjaxValues : TStringList; begin sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams); //get Active Session ID TRY If (sSessionID <> '') //UniServerModule.ProtectDataList.Values [sSessionID + 'User'] - use it to save user //UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'] - use it to save pass (ProtectDataList=TStringList) then begin sAjaxValues := TStringList.Create; sAjaxValues.Delimiter := '&'; sAjaxValues.StrictDelimiter := True; sAjaxValues.DelimitedText := ARequestInfo.UnparsedParams; //save UnparsedParams - plaintext data TRY //if (POS (UniServerModule.ProtectDataList.Values [sSessionID + 'User'],sAjaxValues.Values ['_fp_']) > 0) //AND (TRIM (UniServerModule.ProtectDataList.Values [sSessionID + 'User']) <> '') if (sAjaxValues.IndexOfName ('_fp_') > 0) then begin sAjaxValues.Values ['_fp_'] := Stringreplace (sAjaxValues.Values ['_fp_'],UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'], (MD5(UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'],'123')),[rfReplaceAll,rfIgnoreCase]); ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; UniServerModule.ProtectDataList.Values [sSessionID + 'User'] := ''; end; //if (POS (UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'],sAjaxValues.Values ['_fp_']) > 0) //AND (TRIM (UniServerModule.ProtectDataList.Values [sSessionID + 'Pass']) <> '') if (sAjaxValues.IndexOfName ('_fp_') > 0) then begin sAjaxValues.Values ['_fp_'] := Stringreplace (sAjaxValues.Values ['_fp_'],UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'],(MD5(UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'],'123')),[rfReplaceAll,rfIgnoreCase]); ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; UniServerModule.ProtectDataList.Values [sSessionID + 'Pass'] := ''; end; sAjaxValues.Clear; sAjaxValues.Free; EXCEPT END; end; end; This will replace values of user and passward in Raw. Please send me feedback with result.
  20. irigsoft
    .
  21. irigsoft
    Would you test the code I will send you. If possible with feedback from read data? I need some time to find a way to protect the application layer and return the code to you. If you are clear with a method that can be applied to protect the layer, I would be happy to share and find a solution together I'm not on the unigui team!
  22. irigsoft
    I am not security expert and my expertise of web security is too low, but what do You think for this, it is possible to use s-http for encrypted transport layer: https://en.wikipedia.org/wiki/Secure_Hypertext_Transfer_Protocol "S-HTTP encrypts only the served page data and submitted data like POST fields, leaving the initiation of the protocol unchanged. Because of this, S-HTTP could be used concurrently with HTTP (unsecured) on the same port, as the unencrypted header would determine whether the rest of the transmission is encrypted." "In S-HTTP, the desired URL is not transmitted in the cleartext headers, but left blank; another set of headers is present inside the encrypted payload. In HTTP over TLS, all headers are inside the encrypted payload and the server application does not generally have the opportunity to gracefully recover from TLS fatal errors (including 'client certificate is untrusted' and 'client certificate is expired')." Or what do you think is the best method to address the issue of "plaintext" I'm also looking for various security vulnerabilities. I want to make unigui application more secured , and I know that "If the security problem is not solved, the system is not allowed to go online" is real live problem
  23. irigsoft
    Ofcourse not, Creating an SQl authorization script without parameters allows Sql injections, but Your problem is with plain text.
  24. irigsoft
    You must check all of my answer. If you have (third party) man in the middle attack, so I already was explain how to avoid this with examples. Look in this theme too:
  25. irigsoft
    Examples: Strict Transport Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security Always redirect to https !!! forum with problem: https://superuser.com/questions/1107285/hsts-not-working-with-chrome >>> the solution of the problem: "For others who are seeing a similar issue - it may be because your browser has not yet accessed the site over HTTPS. Try accessing it over HTTPS and then again over HTTP. If HSTS is correctly implemented, then that last request should fail. MDN explains it nicely:" >>> or this: "The problem was that i had no CA in chrome trusted store. Added exception manually. It looks like for such a scenario chrome does not honor HSTS headers. Once added CA to the trusted store everything is working fine - i also see my domain in chrome://net-internals/#hsts. Thanks ! " "How do we make Browser go from HTTP to HTTPS without a ReDirect Script ", maybe this will help : https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/ google docs: https://www.chromium.org/hsts
×
×
  • Create New...