4

I can't use SQL parameters in Delphi, if I try to use them to protect my login form, I get the following error upon login

[0x0005] Operation not supported

The code I am using is :

SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email= :Email'+
                      ' and login_pass= :Password';
SQLQuery1.ParamByName('email').AsString := Email;
SQLQuery1.ParamByName('password').AsString := Password;

SQLQuery1.Open; // Open sql connection
if SQLQuery1.recordCount >0 then form2.Show;

but it is not working, the code below works correctly but is it always unsafe :

SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email="'+Email+
                      '" and login_pass= "'+Password+'"';

I am using TMySQLConnection and TMySQLQuery components, set ParamsCheck to True, and using the first code mentioned above which doesn't work, how to correct the problem!

Any suggestion or help would be appreciated.

Thank you

Improve this question
16
  • 5
    +1 for insisting on using parameters, but note that storing passwords in the clear is also very bad. Use salted hashes instead: SELECT * FROM registered WHERE email = :email AND passhash = SHA2(CONCAT(salt,:password),512) Commented Dec 27, 2011 at 11:48
  • According to the docs TMySQLQuery does support parameters: microolap.com/products/connectivity/mysqldac/help/TMySQLQuery/… Commented Dec 27, 2011 at 11:51
  • @Johan the password variable contain the password already hashed in MD5 Commented Dec 27, 2011 at 12:03
  • 1
    MD5 is not a secure hash function and if you don't salt the hash a rainbow table will break it in seconds, see: stackoverflow.com/questions/401656/… Commented Dec 27, 2011 at 12:12
  • You should 1) Add a salt 2) Hash n times. Hashing one time only is not very safe, rainbow tables made "reversing" hashes easy enough. Commented Dec 27, 2011 at 13:15

2 Answers 2

Reset to default
3

Check the help for "RecordCount". It may raise an exception if the dataset can't determine how many records are returned. What if you remove it and simply check if the dataset not IsEmpty?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thankyou verymuch that is exactly what was causing the problem.
2

Use salted hashes for your password check
Storing a unencrypted password in a database is a no-no.
Use a salted hash instead:

SELECT * FROM registered WHERE email = :email 
AND passhash = SHA2(CONCAT(salt,:password),512)

You can store the passhash in the DB by doing: 

INSERT INTO registered (email, passhash, salt) 
VALUES (:email, SHA2(CONCAT(:salt,:password),512), :salt)

The salt does not need to be truely random, but it does need to be somewhat random and different for each user.

Improve this answer

1 Comment

I can't figure how the underscore in a column name might be an issue.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.