Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote Views

Status
Not open for further replies.
alnave

alnave

Technical User
May 27, 2009
2
PH
Hi everyone. I am developing an executable app in VFP whereby I can access my MySQL data through remote views. To illustrate: In VFP Form, there will be a username and password textboxes. After the user filled them up, a query is sent to the MySQL database. I found it very easy getting the record through ODBC and dsn. However, checking whether the password is correct will surely produce a MISMATCH since the one entered in the textbox is plain text while the one on the selected record is encrypted.

My Question is: Is there a way in VFP where I can use BCRYPT (now the default hashing algorithym in PHP/MySQL)?

Thank you very much in advance any help will be greatly appreciated... Uenav
 
Sort by date Sort by votes
In my "book", storing passwords in a table is a big no-no, even if it's encrypted. Instead you store the hash value for the password, and compare the entered password's hash value against the one in the table.
 
Upvote 0 Downvote
@Tore Bleken,

Thank you for the early response. However, I think I might have not made myself very clearly in my original post. Here's the scenario: We have an internet app using HTML-PHP-MySQL. As such, we have the following in our MySQL database:

username or email: temp@gmail.com
password: $2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K
This hash value was the result of: password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options) command in PHP which was stored in the password field: password.

NOW, I want to develop an app in VFP using that same data in my login form. As I said, I could retrieve the record via ODBC and dsn but I will surely have MISMATCH error even If I entered "rasmuslerdorf" in the textbox because there is no command in VFP to translate "rasmuslerdorf" into "$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K", IS THERE? unlike in PHP were there is "password_verify(<user-entered password>, <selected record password)".

In VFP we usually use windows.crypto api to hash our passwords. This is a matter of different hash algorithym. SO my question is: Is there a way I can use BCRYPT's "password_verify(<user-entered password>, <selected record password)"?

Thank you -- I hope I have made myself very clear.
 
Upvote 0 Downvote
I understood your problem, but I didn't know all the details. May I guess that the MySQL data is also used from other applications, and not only from VFP? In that case you can ignore my advice, and unfortunately I can't provide any help.

My advice was given based on the assumption that the VFP application was the only user of the data on the MySQL server. Like a "don't start in the wrong end" advice.
 
Upvote 0 Downvote
Indeed the simplest solution would be to use PHPs password_verify() function. There also is a Windows Bcrypt.dll:
But Just using PHP or bcrypt to make the correct user verification does not hinder usage of the MySQL DSN, does it? This type of security is like a secure lock on a cardboard box.

The website security in this aspect is maintained by encapsulating both the web application and the web application database at the server side and NOT providing direct database connections to clients. You already break this encapsulation and this means the DSN already is your wide open backdoor if it connects without specifying MySQL user/password as separate connection parameters. And even if it does, either all users need to know this to make the connection or your application has this in source code or configuration data. Just to clarify, we're talking of MySQL user/password here, not webapp user/password. It's typically all a hacker needs to get to all users data, as this provides the level of access to all data anyway, no matter if the connection is via SSL tunnel, no matter if the database files on hdd are AES encrypted.

In the long run what you need is to develop an API. Your web application would need to provide this for third-party extensions - and even your own desktop client. That would typically involve an oAuth authentication and then usage via API HTTP requests signed with an oAuth access token, so no direct MySQL connection, only access via the web app API in the form of HTTP requests and responses using JSON or XML to transfer data and/or parameters.

Bye, Olaf.

Olaf Doschke Software Engineering
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Locked
  • Question
Apps Standardized on Remote Views or SPT or CursorAdapters or Any
Replies
4
Views
151
stanlyn
stanlyn
stanlyn
  • Locked
  • Question
Converting Set Filters to Remote Views
2
Replies
22
Views
288
Chris Miller
Chris Miller
Rajesh Karunakaran
  • Locked
  • Question
Accessing VFP data from a remote server using OLEDB from outside of LAN
Replies
1
Views
112
GriffMG
GriffMG
stanlyn
  • Locked
  • Question
Remote Views in Code
Replies
2
Views
56
Chris Miller
Chris Miller
stanlyn
  • Locked
  • Question
Master/Detail Remote View Form Sample Needed
Replies
3
Views
107
stanlyn
stanlyn

Part and Inventory Search

Sponsor

Back
Top