Encrypted password verification

0

I'm having a hard time checking the login with Delphi with encrypted password in the MySQL database, I can do the registration and encrypt the password in the database through Delphi with the StoredProcedure that I created in MySQL , this encryption made through the MD5 function of the MySQL itself. In Delphi , use TSQLStoredProc to use StoredProcedure of database.

The difficulty is in the% of% I created in Function , it returns an integer. If it is Mysql return:

zero

If it is o login está incorreto :

o login está certo 

um works correctly on Function , makes the correct comparison, however, what I do not know is how do I show or compare this MySQL with that integer return on Function .

Here is my code for you to understand:

SQL:

DELIMITER $$ 
 CREATE TABLE 'tbl_users' ( 
  'id' int(11) NOT NULL AUTO_INCREMENT, 
  'username' varchar(15) NOT NULL, 
  'firstlast_name' varchar(80) DEFAULT NULL, 
  'password' varchar(45) DEFAULT NULL, 
  PRIMARY KEY ('id') 
)$$ 
 DELIMITER ; 

 DELIMITER $$  
 DROP FUNCTION IF EXISTS 'fun_valida_usuario'$$  
 CREATE FUNCTION 'fun_valida_usuario'(p_username VARCHAR(15)  
                , p_password VARCHAR(45) ) RETURNS INT(1)  
 BEGIN  
 DECLARE _ret            INT(1) DEFAULT 0;  
     SET _ret = IFNULL((SELECT DISTINCT 1  
                       FROM tbl_users  
                      WHERE 'username' = p_username  
                       AND 'password' = MD5(p_password)),0);                            
 RETURN _ret;  
 END$$  
 DELIMITER ; 

DELIMITER $$ 
CREATE PROCEDURE 'proc_iae_tbl_users'( 
p_opc varchar(1), 
p_id int, 
p_username varchar(15), 
p_firstlast_name varchar(80), 
p_password varchar(45)) 
BEGIN 

IF ((p_opc = 'I') && (p_username != '') && (p_password != '')) THEN 

  INSERT INTO tbl_users (id, username, firstlast_name, 'password') VALUES (p_id, p_username, p_firstlast_name, MD5(p_password)); 

ELSE 

IF ((p_opc = 'E') && (p_id > 0)) THEN 

   delete from tbl_users where id = p_id; 

ELSE 

IF ((p_opc = 'A')) THEN 

  UPDATE tbl_users set id = p_id, username = p_username, firstlast_name = p_firstlast_name, 'password' = p_password WHERE id = p_id; 

ELSE 
SELECT 'Você não pode realizar as alterações' AS Msg; 
END IF; 
END IF; 
END IF; 

END$$ 
DELIMITER ; 

PAS:

unit Unit1; 

interface 

uses 
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, 
  Dialogs, WideStrings, DBXMySql, DB, SqlExpr, FMTBcd, Provider, DBClient, 
  StdCtrls, Mask, DBCtrls; 

type 
  TForm1 = class(TForm) 
    SQLConnection1: TSQLConnection; 
    ClientDataSet1: TClientDataSet; 
    DataSetProvider1: TDataSetProvider; 
    SQLQuery1: TSQLQuery; 
    SQLQuery1id: TIntegerField; 
    SQLQuery1username: TStringField; 
    SQLQuery1firstlast_name: TStringField; 
    SQLQuery1password: TStringField; 
    DataSource1: TDataSource; 
    ClientDataSet1id: TIntegerField; 
    ClientDataSet1username: TStringField; 
    ClientDataSet1firstlast_name: TStringField; 
    ClientDataSet1password: TStringField; 
    InsertUser: TButton; 
    Edit1: TEdit; 
    Edit2: TEdit; 
    proc_iae_tbl_users: TSQLStoredProc; 
    proc_iae_tbl_usersMsg: TStringField; 
    Edit3: TEdit; 
    Edit4: TEdit; 
    Edit5: TEdit; 
    VerifyLogin: TButton; 
    Label1: TLabel; 
    Label2: TLabel; 
    SQLStoredProc1: TSQLStoredProc; 
    SQLStoredProc1Value: TIntegerField; 
    Label3: TLabel; 
    DBEdit1: TDBEdit; 
    DataSource2: TDataSource; 
    SQLQuery2: TSQLQuery; 
    SQLQuery2Valor: TIntegerField; 
    Label4: TLabel; 
    DBEdit2: TDBEdit; 
    DataSource3: TDataSource; 
    procedure Button1Click(Sender: TObject); 
    procedure Button2Click(Sender: TObject); 
  private 
    { Private declarations } 
  public 
    { Public declarations } 
  end; 

var 
  Form1: TForm1; 

implementation 

{$R *.dfm} 

procedure TForm1.InsertUserClick(Sender: TObject); 
begin 
   proc_iae_tbl_users.Close; 
   proc_iae_tbl_users.ParamByName('p_opc').Value:= 'I'; 
   proc_iae_tbl_users.ParamByName('p_username').Value:= Edit1.Text; 
   proc_iae_tbl_users.ParamByName('p_firstlast_name').Value:= Edit2.Text; 
   proc_iae_tbl_users.ParamByName('p_password').Value:= Edit3.Text; 
   proc_iae_tbl_users.ExecProc; 
end; 

procedure TForm1.VerifyLoginClick(Sender: TObject); 
begin 
   // Aqui deve ficar o código para logar e verificar o login 
end; 

end.

Can someone give me a solution?

Thank you for your prompt delivery. Thank you.

    
asked by anonymous 05.11.2016 / 00:43

2 answers

0

So guys, I tried to solve it.

On my login button, I implemented the following code:

  DM.sql_login.Close;
  DM.sql_login.SQL.Clear;
  DM.sql_login.SQL.Add('SELECT fun_valida_usuario("'+edt_username.Text+'","'+edt_password.Text+'") AS Ret');
  DM.sql_login.Open;

  if (DM.sql_login['Ret'] = 1 ) then
    begin
       DM.sql_login.Close;
      Close;
    end
  else
    begin
      MessageBox(handle,'Usuário ou Senha estão incorretos','Aviso',mb_IconError + mb_OK);
    end;

I hope it helps someone with the same doubt. Thank you for reading.

    
05.11.2016 / 02:26
0

Some safety considerations

According to what you described, I suggest you check the following topics:

  • Do not send your password to be encrypted in the bank. During this process anyone listening to your interaction with him can discover the password. Even if you have some security measures at the transport layer, it is 1000% safer to encrypt on the client (Delphi).

  • MD5 is not a good encryption algorithm. As it is calculated very quickly, an attacker can calculate billions of hashes per second. Consider using SHA-1 or preferably SHA-2.

  • That said, the answer to the question

    TSQLStoredProc inherits from TDataset component. In other words, it is a dataset. So all you need to consume the result of a stored procedure is to open the dataset and use its values. Example:

    StoredProc.Open;
    try
        CredenciaisValidas := StoredProc.FieldByName('Result').AsInteger = 1;
    finally
        StoredProc.Close;
    

    Note: I do not remember if Result is the name field used for the return of functions, but nothing that a little debug does not solve;)

        
    05.11.2016 / 02:35