irigsoft Posted April 26, 2021 Share Posted April 26, 2021 This is with loginform: Project1_LoginForm.zip Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 27, 2021 Author Share Posted April 27, 2021 Just let the third party test, the results will also appear plaintext problems. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 27, 2021 Share Posted April 27, 2021 1 hour ago, huayan889 said: Just let the third party test, the results will also appear plaintext problems. What values do You see in third party results '123' or username/password ? Can You send printscreen of results ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 27, 2021 Share Posted April 27, 2021 Do you know if it will work if we apply Digest authentication? Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 When debugging today, I found that the message with clear text appeared in Ajax event: 'Ajax = 1' # $d # $a'isevent = 1 '# $d # $a'obj = O13' # $d # $a'evt = click '# $d # $a'this = O13' # $d # $a'_ S_ ID=N43zzWfc1U10823EF63'#$D#$A'_ fp_=% 26O27%3D%25020%2502%2502Sz! sctc%254020201'#$D#$A'_ seq_= 4'#$D#$A'_ uo_= O0'#$D#$ADuring debugging, it is found that 'Ajax = 1' # $d # $a'isevent = 1 '# $d # $a'obj = O13' # $d # $a'evt = click '# $d # $a'this = O13' # $d # $a '_ S_ ID=N43zzWfc1U10823EF63'#$D#$A'_ fp_=% 26O27%3D%25020%2502%2502Sz! sctc%254020201'#$D#$A'_ seq_= 4'#$D#$A'_ uo_= O0'#$D#$A procedure TUniLoginFrm.LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); begin if EventName = 'click' then begin If (POS('_fp_', Params.Text) > 0) then showmessageN(Params.Text); end; end; Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 On 4/27/2021 at 1:23 PM, irigsoft said: Do you know if it will work if we apply Digest authentication? The method you provided has been used, but plaintext still appears in Ajax event. Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 On 4/27/2021 at 1:23 PM, irigsoft said: Do you know if it will work if we apply Digest authentication? There is a strange phenomenon: only when the login information is incorrect, the plaintext problem appears. Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 8 minutes ago, huayan889 said: Hello, I see in my tests, when numbers like: 1 or 02 are used, then an internal error occurs. Perhaps in your test, this causes the plain text to appear as it is. This error does not occur when characters are used. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 1 hour ago, huayan889 said: There is a strange phenomenon: only when the login information is incorrect, the plaintext problem appears. So, if You use Digest auth, plain text is not appear ? Or if You use my methods , plain text is not appear . Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 Did you try to replace the "_fp_" parameters in an Ajax event? Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 1 minute ago, irigsoft said: Did you try to replace the "_fp_" parameters in an Ajax event? I mean plaintext when the password is incorrect, and it doesn't work in Ajax event replacement. Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 procedure TUniLoginFrm.LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); var s: String; begin if EventName = 'click' then begin If (POS('_fp_', Params.Text) > 0) then Params.Clear; end; end; Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 Now I can see in Console result of Ajax event and will try to make some changes of the code. just for the infomation: I didn't use authorization in my test , only two Edit Fields, login form and button click. So, in my test all Form data is not correct paswords. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 5 minutes ago, huayan889 said: I mean plaintext when the password is incorrect, and it doesn't work in Ajax event replacement. Just one question: I can't understand when plain text is shown. 1. If You use Digest auth and real passwords, then is OK (plaint text not shown) ? 2. If You use Digest auth + my code + real password it is OK ? 3. If You use only my code + real password it is OK ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 I See this when test with my test project button click on login form. I was replace '_fp_' plaint text with '123'. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 and after this message I get this for fields: Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 Login form code; unit Login; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Soap.EncdDecd, Controls, Forms, uniGUITypes, uniGUIAbstractClasses, AuthenticodeGenerate, uniImage, Vcl.ExtCtrls, cl_crypt32, uniGUIClasses, uniGUIRegClasses, uniGUIForm, uniButton, uniEdit, uniGUIBaseClasses, uniGroupBox, Data.DB, MemDS, DBAccess, Uni, uniPanel, uniStatusBar, uniTimer, uniLabel,uniGUIJSUtils, HTTPApp; type TUniLoginFrm = class(TUniLoginForm) admin_pass: TUniEdit; LoginBut: TUniButton; admin_id: TUniEdit; UniEdit1: TUniEdit; UniQuery1: TUniQuery; UniPanel1: TUniPanel; UniImage1: TUniImage; UniEdit3: TUniEdit; UniButton2: TUniButton; UniTimer1: TUniTimer; UniPanel2: TUniPanel; UniPanel3: TUniPanel; UniPanel4: TUniPanel; UniPanel5: TUniPanel; procedure UniButton2Click(Sender: TObject); procedure UniImage1Click(Sender: TObject); procedure LoginButClick(Sender: TObject); procedure UniLoginFormCreate(Sender: TObject); procedure UniTimer1Timer(Sender: TObject); procedure UniLoginFormActivate(Sender: TObject); procedure UniEdit3KeyPress(Sender: TObject; var Key: Char); procedure UniLoginFormReady(Sender: TObject); procedure LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); private { Private declarations } Authenticode: string; public { Public declarations } ps: string; end; function UniLoginFrm: TUniLoginFrm; implementation {$R *.dfm} uses uniGUIVars, MainModule, uniGUIApplication, IdHashMessageDigest, Main, ServerModule; function UniLoginFrm: TUniLoginFrm; begin Result := TUniLoginFrm(UniMainModule.GetFormInstance(TUniLoginFrm)); end; function MD5(const str: string): String; var AMD5: TIdHashMessageDigest5; begin try AMD5 := TIdHashMessageDigest5.Create; Result := AMD5.HashStringAsHex(str); finally AMD5.Free; end; end; procedure TUniLoginFrm.LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); var s: String; begin if EventName = 'click' then begin If (POS('_fp_', Params.Text) > 0) then Params.Clear; end; end; procedure TUniLoginFrm.LoginButClick(Sender: TObject); var org_names: string; begin org_names := ''; UniMainModule.login_name := ''; UniMainModule.fdmemTable1.Active := false; UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_users where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (user_account =' + chr(39) + admin_id.Text + chr(39) + ') and (user_pass=' + chr(39) + MD5(admin_pass.Text) + chr(39) + ')'; UniQuery1.Open; if UniQuery1.RecordCount <> 0 then begin if LowerCase(UniEdit3.Text) = Authenticode.ToLower then // 校验码 begin UniTimer1.Enabled := false; UniMainModule.customer_id := UniEdit1.Text; UniMainModule.org_name := org_names; UniMainModule.login_name := admin_id.Text; ModalResult := mrok; MainForm.UniStatusBar1.Panels[0].Text := org_names; end else begin UniTimer1.Enabled := true; UniPanel3.Caption := '校验码码不正确!请重新输入。'; UniImage1Click(self); UniEdit1.SetFocus; end; end else begin showmessageN('登录信息有误,请重新输入!'); UniImage1Click(self); UniEdit1.SetFocus; end; end; procedure TUniLoginFrm.UniButton2Click(Sender: TObject); begin ModalResult := mrCancel; end; procedure TUniLoginFrm.UniEdit3KeyPress(Sender: TObject; var Key: Char); begin if Key = #13 then LoginButClick(self); end; procedure TUniLoginFrm.UniImage1Click(Sender: TObject); var img1: TImage; begin img1 := TImage.Create(self); try img1.Height := UniImage1.Height; img1.Width := UniImage1.Width; Authenticode := GenerateAuthenticode(img1, 4); UniImage1.Picture.Bitmap.Assign(img1.Picture.Bitmap); finally FreeAndNil(img1); end; end; procedure TUniLoginFrm.UniLoginFormActivate(Sender: TObject); begin UniTimer1.Enabled := true; end; procedure TUniLoginFrm.UniLoginFormCreate(Sender: TObject); var ns, dwid: string; begin admin_pass.Text := cl_decrypt(UniApplication.Cookies.Values['pw']); ns := cl_decrypt(UniApplication.Cookies.Values['UName']); dwid := UniApplication.Cookies.Values['DWID']; if ns <> '' then admin_id.Text := ns; if dwid <> '' then UniEdit1.Text := dwid; UniImage1Click(self); end; procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin if UniServerModule.ProtectDataList.IndexOfName(admin_id.Name) <= 0 then UniServerModule.ProtectDataList.Add(admin_id.Name + '=' + admin_id.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[admin_id.Name] := admin_id.JSName; if UniServerModule.ProtectDataList.IndexOfName(admin_pass.Name) <= 0 then UniServerModule.ProtectDataList.Add(admin_pass.Name + '=' + admin_pass.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[admin_pass.Name] := admin_pass.JSName; end; procedure TUniLoginFrm.UniTimer1Timer(Sender: TObject); begin UniImage1Click(self); end; initialization RegisterAppFormClass(TUniLoginFrm); end. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 2 minutes ago, huayan889 said: Login form code; unit Login; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Soap.EncdDecd, Controls, Forms, uniGUITypes, uniGUIAbstractClasses, AuthenticodeGenerate, uniImage, Vcl.ExtCtrls, cl_crypt32, uniGUIClasses, uniGUIRegClasses, uniGUIForm, uniButton, uniEdit, uniGUIBaseClasses, uniGroupBox, Data.DB, MemDS, DBAccess, Uni, uniPanel, uniStatusBar, uniTimer, uniLabel,uniGUIJSUtils, HTTPApp; type TUniLoginFrm = class(TUniLoginForm) admin_pass: TUniEdit; LoginBut: TUniButton; admin_id: TUniEdit; UniEdit1: TUniEdit; UniQuery1: TUniQuery; UniPanel1: TUniPanel; UniImage1: TUniImage; UniEdit3: TUniEdit; UniButton2: TUniButton; UniTimer1: TUniTimer; UniPanel2: TUniPanel; UniPanel3: TUniPanel; UniPanel4: TUniPanel; UniPanel5: TUniPanel; procedure UniButton2Click(Sender: TObject); procedure UniImage1Click(Sender: TObject); procedure LoginButClick(Sender: TObject); procedure UniLoginFormCreate(Sender: TObject); procedure UniTimer1Timer(Sender: TObject); procedure UniLoginFormActivate(Sender: TObject); procedure UniEdit3KeyPress(Sender: TObject; var Key: Char); procedure UniLoginFormReady(Sender: TObject); procedure LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); private { Private declarations } Authenticode: string; public { Public declarations } ps: string; end; function UniLoginFrm: TUniLoginFrm; implementation {$R *.dfm} uses uniGUIVars, MainModule, uniGUIApplication, IdHashMessageDigest, Main, ServerModule; function UniLoginFrm: TUniLoginFrm; begin Result := TUniLoginFrm(UniMainModule.GetFormInstance(TUniLoginFrm)); end; function MD5(const str: string): String; var AMD5: TIdHashMessageDigest5; begin try AMD5 := TIdHashMessageDigest5.Create; Result := AMD5.HashStringAsHex(str); finally AMD5.Free; end; end; procedure TUniLoginFrm.LoginButAjaxEvent(Sender: TComponent; EventName: string; Params: TUniStrings); var s: String; begin if EventName = 'click' then begin If (POS('_fp_', Params.Text) > 0) then Params.Clear; end; end; procedure TUniLoginFrm.LoginButClick(Sender: TObject); var org_names: string; begin org_names := ''; UniMainModule.login_name := ''; UniMainModule.fdmemTable1.Active := false; UniQuery1.Active := false; UniQuery1.SQL.Text := 'select * from ss_users where (customer_id=' + chr(39) + UniEdit1.Text + chr(39) + ') and (user_account =' + chr(39) + admin_id.Text + chr(39) + ') and (user_pass=' + chr(39) + MD5(admin_pass.Text) + chr(39) + ')'; UniQuery1.Open; if UniQuery1.RecordCount <> 0 then begin if LowerCase(UniEdit3.Text) = Authenticode.ToLower then // 校验码 begin UniTimer1.Enabled := false; UniMainModule.customer_id := UniEdit1.Text; UniMainModule.org_name := org_names; UniMainModule.login_name := admin_id.Text; ModalResult := mrok; MainForm.UniStatusBar1.Panels[0].Text := org_names; end else begin UniTimer1.Enabled := true; UniPanel3.Caption := '校验码码不正确!请重新输入。'; UniImage1Click(self); UniEdit1.SetFocus; end; end else begin showmessageN('登录信息有误,请重新输入!'); UniImage1Click(self); UniEdit1.SetFocus; end; end; procedure TUniLoginFrm.UniButton2Click(Sender: TObject); begin ModalResult := mrCancel; end; procedure TUniLoginFrm.UniEdit3KeyPress(Sender: TObject; var Key: Char); begin if Key = #13 then LoginButClick(self); end; procedure TUniLoginFrm.UniImage1Click(Sender: TObject); var img1: TImage; begin img1 := TImage.Create(self); try img1.Height := UniImage1.Height; img1.Width := UniImage1.Width; Authenticode := GenerateAuthenticode(img1, 4); UniImage1.Picture.Bitmap.Assign(img1.Picture.Bitmap); finally FreeAndNil(img1); end; end; procedure TUniLoginFrm.UniLoginFormActivate(Sender: TObject); begin UniTimer1.Enabled := true; end; procedure TUniLoginFrm.UniLoginFormCreate(Sender: TObject); var ns, dwid: string; begin admin_pass.Text := cl_decrypt(UniApplication.Cookies.Values['pw']); ns := cl_decrypt(UniApplication.Cookies.Values['UName']); dwid := UniApplication.Cookies.Values['DWID']; if ns <> '' then admin_id.Text := ns; if dwid <> '' then UniEdit1.Text := dwid; UniImage1Click(self); end; procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject); begin if UniServerModule.ProtectDataList.IndexOfName(admin_id.Name) <= 0 then UniServerModule.ProtectDataList.Add(admin_id.Name + '=' + admin_id.JSName) // add JSName of Element for UserName else UniServerModule.ProtectDataList.Values[admin_id.Name] := admin_id.JSName; if UniServerModule.ProtectDataList.IndexOfName(admin_pass.Name) <= 0 then UniServerModule.ProtectDataList.Add(admin_pass.Name + '=' + admin_pass.JSName) // add JSName of Element for UserPass else UniServerModule.ProtectDataList.Values[admin_pass.Name] := admin_pass.JSName; end; procedure TUniLoginFrm.UniTimer1Timer(Sender: TObject); begin UniImage1Click(self); end; initialization RegisterAppFormClass(TUniLoginFrm); end. OK, and do You use : procedure TUniServerModule.UniGUIServerModuleHTTPCommand ? Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 you Demo Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 29, 2021 Author Share Posted April 29, 2021 4 minutes ago, irigsoft said: OK, and do You use : procedure TUniServerModule.UniGUIServerModuleHTTPCommand ? yes Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 29, 2021 Share Posted April 29, 2021 3 minutes ago, huayan889 said: you Demo Yes it is so. Now i see this and can try to change data Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 30, 2021 Share Posted April 30, 2021 Hello and happy holidays. I found solution for this problem, can You test with third party software ? Project1.zip Solution is based on this topic: and there are the results: 1. uniButton1.OnClick event get on client side values from uniEditUser and uniEditPass and store them to local variables FuKey and FpKey. 2. Replace uniEditUser and UniEditPass text values with '123' and 3. Show values of localvariables there is a result in Google console: Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 30, 2021 Author Share Posted April 30, 2021 28 minutes ago, irigsoft said: Hello and happy holidays. I found solution for this problem, can You test with third party software ? Project1.zip 1.65 MB · 1 download Solution is based on this topic: and there are the results: 1. uniButton1.OnClick event get on client side values from uniEditUser and uniEditPass and store them to local variables FuKey and FpKey. 2. Replace uniEditUser and UniEditPass text values with '123' and 3. Show values of localvariables there is a result in Google console: Quote Link to comment Share on other sites More sharing options...
huayan889 Posted April 30, 2021 Author Share Posted April 30, 2021 The same problem still exists with the new demo test just now Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.