huayan889
-
Posts
99 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by huayan889
-
-
15 minutes ago, irigsoft said:
I don't know the correct name of the Edit field for a username in the login form.
I see in your sql code, you gave as an example that you use to enter username uniEdit1.
In my code I use uniEditUser as my username (not with that name in your login form).
So take the correct name of your login form and use it in this procedure to replace uniEditUser and uniEditpass with the correct component name.
If you component name for username is uniEdit1 and for pass is uniEdit2
This code will be correct:
procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
begin// Add Components for encryption in Application Layer
if UniServerModule.ProtectDataList.IndexOfName(UniEdit1.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEdit1.Name + '=' + UniEdit1.JSName)
// add JSName of Element for UserName
else
UniServerModule.ProtectDataList.Values[UniEdit1.Name] := UniEdit1.JSName;if UniServerModule.ProtectDataList.IndexOfName(UniEdit2.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEdit2.Name + '=' + UniEdit2.JSName)
// add JSName of Element for UserPass
else
UniServerModule.ProtectDataList.Values[UniEdit2.Name] := UniEdit2.JSName;
end; -
uniedit1 no userpassword
-
-
13 minutes ago, irigsoft said:
Try to replace in this procedure uniEditUser and uniEditPass with component for User and Pass from loginform
procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
begin// Add Components for encryption in Application Layer
if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName)
// add JSName of Element for UserName
else
UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName;if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName)
// add JSName of Element for UserPass
else
UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName;
end;In Your SQL code You use UniEdit1 and UniEdit2
"UniQuery1.Active := false;
UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) +
UniEdit1.Text + chr(39) + ') and (admin_id =' + chr(39) + UniEdit2.Text + chr(39) +
') and (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')';
UniQuery1.Open;"UniQuery1.Active := false;
UniQuery1.SQL.Text := 'select * from ss_users where (customer_id=' + chr(39) + UniEdit1.Text +
chr(39) + ') and (user_account =' + chr(39) + UniEditUser.Text + chr(39) +
') and (user_pass=' + chr(39) + MD5(cl_decrypt(UniEditPass)) + chr(39) + ')';
UniQuery1.Open; -
4 minutes ago, irigsoft said:
Hi, I see that in Your code, You use UniEditUser for Username, but that is not right in LoginForm.
Maybe You must replace UniEditUser with correct component.
I make test with empty uniGui project and just add this uniEdit field: UniEditUser and UniEditPass, they are not user name and password from loginform.
This is posible reason !
OK, I'll revise and test
-
1 hour ago, irigsoft said:
Yes, that's all and it's right.
If there is no effect, it may be better for @Sherzod or another member of the uniGui team to help with this
I see in the Google chrome console, the file in which the function for filling in the values is performed and maybe something needs to be changed in the file.Thanks
-
After I press the above modification, it still has no effect
-
LoginForm:
procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
begin// Add Components for encryption in Application Layer
if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName)
// add JSName of Element for UserName
else
UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName;if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then
UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName)
// add JSName of Element for UserPass
else
UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName;
end;
UniMainModule:
procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
sUser, sPass, fpName, fpValue, fpCompName, s: String;
I, J: integer;sAjaxValues, sRefererValues: TStringList;
REQ: TIdHTTPRequestInfo; // uIdCustomHTTPServer
beginTry
// replace ARequestInfo with TUniGUISession(ASession).ARequest
// If (sSessionID <> '')
If (POS('_fp_', TUniGUISession(ASession).ARequest.UnparsedParams) > 0) AND
(UniServerModule.ProtectDataList.Count > 0) then
begin
sAjaxValues := TStringList.Create;
sAjaxValues.Delimiter := '&';
sAjaxValues.StrictDelimiter := true;
sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession)
.ARequest.UnparsedParams);
TRY
if (sAjaxValues.IndexOfName('_fp_') > 0) then
begin
for J := 0 to UniServerModule.ProtectDataList.Count - 1 do
begin
fpCompName := UniServerModule.ProtectDataList.ValueFromIndex[J];
fpName := sAjaxValues.Values[fpCompName];
fpValue := '';
if fpName <> '' then
begin
for I := Length(fpName) downto 1 do
begin
case fpName[I] of
'%':
begin
delete(fpValue, 1, 2);
break;
end
else
fpValue := fpName[I] + fpValue;
end;
end; // for I
sAjaxValues.Values[fpCompName] := StringReplace(sAjaxValues.Values[fpCompName],
fpValue, '123', []);TUniGUISession(ASession).ARequest.Params.Values['_fp_'] :=
'&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)];
sAjaxValues.Values['_fp_'] :=
HTTPEncode('&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)]);
sAjaxValues.delete(sAjaxValues.IndexOfName(fpCompName));TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText;
TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText;
end; // If
end; // for J
end; // If
sAjaxValues.Clear;
sAjaxValues.Free;EXCEPT
END;
end;
FinallyEnd;
end;UniServerModule:
public
{ Public declarations }
ProtectDataList: TStringList;
end;
procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject);
beginProtectDataList := TStringList.Create;
end;
procedure TUniServerModule.UniGUIServerModuleBeforeShutdown(Sender: TObject);
beginProtectDataList.Clear;
ProtectDataList.Free;end;
-
irigsoft:Can you give me a complete test demo?
-
1 hour ago, irigsoft said:
Please try with other maner:
will use TUniMainModule.UniGUIMainModuleHandleRequest
procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
sUser,
sPass,
fpName,fpValue,
fpCompName,
s : String;
I,J : Integer;sAjaxValues,
sRefererValues : TStringList;
REQ : TIdHTTPRequestInfo; // uIdCustomHTTPServer
beginTry
//replace ARequestInfo with TUniGUISession(ASession).ARequest
//If (sSessionID <> '')
If (POS ('_fp_',TUniGUISession(ASession).ARequest.UnparsedParams)> 0)
AND (UniServerModule.ProtectDataList.Count > 0)
then begin
sAjaxValues := TStringList.Create;
sAjaxValues.Delimiter := '&';
sAjaxValues.StrictDelimiter := True;
sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession).ARequest.UnparsedParams);
TRY
if (sAjaxValues.IndexOfName ('_fp_') > 0)
then begin
for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin
fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J];
fpName := sAjaxValues.Values[fpCompName];
fpValue := '';
if fpName <> '' then begin
for I := Length (fpName) downto 1 do begin
case fpName [I] of
'%' : begin
delete (fpValue,1,2);
break;
end
else fpValue := fpName [I] + fpValue;
end;
end;//for I
sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]);TUniGUISession(ASession).ARequest.Params.Values ['_fp_'] := '&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)];
sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]);
sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName));TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText;
TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText;
end;//If
end;//for J
end;//If
sAjaxValues.Clear;
sAjaxValues.Free;EXCEPT
END;
end;I test this two functions in Google chrome console and make memory snapshot.
when I use UniGUIServerModuleHTTPCommand, then console show me test value like submittedvalue
when i use UniGUIMainModuleHandleRequest , then console show me test value like lastvalue
So there are some differenses , and maybe last one funcions will giv You the solution.
run fpcompName=''
-
7 hours ago, irigsoft said:
So, resolution is this:
uses HTTPApp;
//
procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject);
begin//create list with elements for encriptions
ProtectDataList := TStringList.Create;
//We can load all names from file with settings
ProtectDataList.loadfromFile ('file with names of elements');end;
procedure TForm_General.UniFormReady(Sender: TObject);
begin
//Add Components for encryption in Application Layer
if UniServerModule.ProtectDataList.IndexOfName (UniEditUser.Name) <= 0 then
UniServerModule.ProtectDataList.Add (UniEditUser.Name + '=' + UniEditUser.JSName) //add JSName of Element for UserName
else UniServerModule.ProtectDataList.Values [UniEditUser.Name] := UniEditUser.JSName;if UniServerModule.ProtectDataList.IndexOfName (UniEditPass.Name) <= 0 then
UniServerModule.ProtectDataList.Add (UniEditPass.Name + '=' + UniEditPass.JSName) //add JSName of Element for UserPass
else UniServerModule.ProtectDataList.Values [UniEditPass.Name] := UniEditPass.JSName;
end;procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
var Handled: Boolean);var
fpName,fpValue,
fpCompName : String;
sAjaxValues : TStringList;
I,J : Integer;begin
// if there is "_ft_" data on request, we will replace everything in it
If (POS ('_fp_',ARequestInfo.UnparsedParams)> 0)
AND (UniServerModule.ProtectDataList.Count > 0)
then begin
sAjaxValues := TStringList.Create; //create list with all values from request
sAjaxValues.Delimiter := '&';
sAjaxValues.StrictDelimiter := True;
sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(ARequestInfo.UnparsedParams); //decode URL data from ARequestInfo
TRY
if (sAjaxValues.IndexOfName ('_fp_') > 0)
then begin
//for a list of items for which we want the data to be encrypted
for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin
fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J]; //get JSName of component in Request
fpName := sAjaxValues.Values[fpCompName]; //find data for jsname in Request
fpValue := '';
if fpName <> '' then begin
for I := Length (fpName) downto 1 do begin
case fpName [I] of
'%' : begin
delete (fpValue,1,2); //delete the last 2 characters, they were always% 02, so if% is found, delete 02
break;
end
else fpValue := fpName [I] + fpValue;
end;
end;//for I
//replace value for component , 123 is new value of data. This can be replaced with MD5 (fpValue)
sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]);
sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]); //URL encoded all data for '_fp_'
sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName));ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; //set new values
end;//If
end;//for J
end;//If
sAjaxValues.Clear;
sAjaxValues.Free;EXCEPT
END;
end;end;
This will replace in Request values in uniEditUser and uniEditPass with '123'.
Please send me feedback with third party test results.
Just let the third party company test, the result is the same.
This problem can only be solved by encrypting the information from the browser. -
35 minutes ago, irigsoft said:
Sorry,
add to uses clause : uniGUIJSUtils
[dcc32 Error] ServerModule.pas(243): E2003 Undeclared identifier: 'ProtectDataList'
-
-
17 hours ago, irigsoft said:
Would you test the code I will send you. If possible with feedback from read data?
I need some time to find a way to protect the application layer and return the code to you.
If you are clear with a method that can be applied to protect the layer, I would be happy to share and find a solution togetherI'm not on the unigui team!
I can test the code you sent, 315795176& qq.com , replace with @&
-
HTTPS is the business data of encrypted transport layer. Our packet capture is the application layer data, that is, the local data. When we process the account password, it has not reached the transport layer. So adding certificate can't solve the problem of account password plaintext transmission.
-
This security problem is obtained by local packet capture.If the security problem is not solved, the system is not allowed to go online
-
此安全问题通过本地数据包捕获获得
-
Enable HTTPS,It's not caused by SQL injection
-
use unigui Login form
-
It is a security problem detected by a third party. The code is very simple:
procedure TUniLoginFrm.LoginButClick(Sender: TObject);
begin...
UniQuery1.Active := false;
UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) +
UniEdit1.Text + chr(39) + ') and (admin_id =' + chr(39) + UniEdit2.Text + chr(39) +
') and (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')';
UniQuery1.Open;.....
end; -
-
4 hours ago, huayan889 said:
-
-
33 minutes ago, azago said:
or
UniSession.AddJS (pdfFrame.JSName + '.iframe.contentWindow.document.' + 'getElementById ("print").click()');
Thank
How do you deal with the problem of plaintext?
in General
Posted
yes