Jump to content

huayan889

uniGUI Subscriber
 View Profile  See their activity

  • Posts

    99

  • Joined

  • Last visited

 Content Type 

Everything posted by huayan889

  1. huayan889
    Can you write me a simple demo? thank
  2. huayan889
    yes
  3. huayan889
  4. huayan889
    uniedit1 no userpassword
  5. huayan889
    Debugging found that pnname is null
  6. huayan889
    UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_users where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (user_account =' + chr(39) + UniEditUser.Text + chr(39) + ') and (user_pass=' + chr(39) + MD5(cl_decrypt(UniEditPass)) + chr(39) + ')'; UniQuery1.Open;
  7. huayan889
    OK, I'll revise and test
  8. huayan889
    Thanks
  9. huayan889
    After I press the above modification, it still has no effect
  10. huayan889
    LoginForm: procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin // Add Components for encryption in Application Layer if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName; if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName; end; UniMainModule: procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); var sUser, sPass, fpName, fpValue, fpCompName, s: String; I, J: integer; sAjaxValues, sRefererValues: TStringList; REQ: TIdHTTPRequestInfo; // uIdCustomHTTPServer begin Try // replace ARequestInfo with TUniGUISession(ASession).ARequest // If (sSessionID <> '') If (POS('_fp_', TUniGUISession(ASession).ARequest.UnparsedParams) > 0) AND (UniServerModule.ProtectDataList.Count > 0) then begin sAjaxValues := TStringList.Create; sAjaxValues.Delimiter := '&'; sAjaxValues.StrictDelimiter := true; sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession) .ARequest.UnparsedParams); TRY if (sAjaxValues.IndexOfName('_fp_') > 0) then begin for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin fpCompName := UniServerModule.ProtectDataList.ValueFromIndex[J]; fpName := sAjaxValues.Values[fpCompName]; fpValue := ''; if fpName <> '' then begin for I := Length(fpName) downto 1 do begin case fpName[I] of '%': begin delete(fpValue, 1, 2); break; end else fpValue := fpName[I] + fpValue; end; end; // for I sAjaxValues.Values[fpCompName] := StringReplace(sAjaxValues.Values[fpCompName], fpValue, '123', []); TUniGUISession(ASession).ARequest.Params.Values['_fp_'] := '&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)]; sAjaxValues.Values['_fp_'] := HTTPEncode('&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)]); sAjaxValues.delete(sAjaxValues.IndexOfName(fpCompName)); TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText; TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText; end; // If end; // for J end; // If sAjaxValues.Clear; sAjaxValues.Free; EXCEPT END; end; Finally End; end; UniServerModule: public { Public declarations } ProtectDataList: TStringList; end; procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject); begin ProtectDataList := TStringList.Create; end; procedure TUniServerModule.UniGUIServerModuleBeforeShutdown(Sender: TObject); begin ProtectDataList.Clear; ProtectDataList.Free; end;
  11. huayan889
    irigsoft:Can you give me a complete test demo?
  12. huayan889
    run fpcompName=''
  13. huayan889
    Just let the third party company test, the result is the same. This problem can only be solved by encrypting the information from the browser.
  14. huayan889
    [dcc32 Error] ServerModule.pas(243): E2003 Undeclared identifier: 'ProtectDataList'
  15. huayan889
    Compilation error
  16. huayan889
    I can test the code you sent, 315795176& qq.com , replace with @&
  17. huayan889
    HTTPS is the business data of encrypted transport layer. Our packet capture is the application layer data, that is, the local data. When we process the account password, it has not reached the transport layer. So adding certificate can't solve the problem of account password plaintext transmission.
  18. huayan889
    This security problem is obtained by local packet capture.If the security problem is not solved, the system is not allowed to go online
  19. huayan889
    此安全问题通过本地数据包捕获获得
  20. huayan889
    Enable HTTPS,It's not caused by SQL injection
  21. huayan889
    use unigui Login form
  22. huayan889
    It is a security problem detected by a third party. The code is very simple: procedure TUniLoginFrm.LoginButClick(Sender: TObject); begin ... UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (admin_id =' + chr(39) + UniEdit2.Text + chr(39) + ') and (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')'; UniQuery1.Open; ..... end;
  23. huayan889
    How do you deal with the problem of plaintext?
  24. huayan889
  25. huayan889
    UnimDBGrid After use DrawColumnCell Abnormal display
×
×
  • Create New...