Leaderboard

It sounds like you really just need protection against casual discovery of the information. In that case just obfuscate it. E.g. with a simple ROT13 or even base64 encode. If someone already has access to the physical machine, and is willing to do the work required, the battle is lost any way. There are a million ways to circumvent any local encryption scheme so forget about that.

Hi, I just updated my header translation for LLVM 10. It's available on Delphinus or on my Githubrepo and comes along with the precompiled binary. http://memnarch.bplaced.net/blog/2020/04/llvm4d-llvm-c-headers-for-delphi/

This is more an FYI, instead of hardcasting a Pointer, you could use Variant Parts in Records to get the illusion of typesafety.

https://github.com/VSoftTechnologies/VSoft.Awaitable This is a simple wrapper over OmniThreadLibrary that borrows from it's Parallel.Async idea, but allows you to call functions that return values. e.g TAsync.Configure<string>( function (const cancelToken : ICancellationToken) : string var i: Integer; begin result := 'Hello ' + value; for i := 0 to 2000 do begin Sleep(1); //in loops, check the token if cancelToken.IsCancelled then exit; end; //where api's can take a handle for cancellation, use the token.handle WaitForSingleObject(cancelToken.Handle,5000); //any unhandled exceptions here will result in the on exception pro being called (if configured) //raise Exception.Create('Error Message'); end, token); ) .OnException( procedure (const e : Exception) begin Label1.Caption := e.Message; end) .OnCancellation( procedure begin //clean up Label1.Caption := 'Cancelled'; end) .Await( procedure (const value : string) begin //use result Label1.Caption := value; end); BTW, I know this isn't really quite the same as async/await (I use C# a lot) but it's about as close as we can get right now. My use case was just to be able to make long running requests in a thread and allow the caller to cancel the requests.

Indeed, currently Hyper-V doesn't play well with any other hypervisor system. This is going to change in the near future at least for VMware Workstation, though.

I think you nailed it, the others think either bullet-prove encryption or do nothing. And here is a ROT13 algorithm by Andreas Rejbrand: https://stackoverflow.com/a/6800389/133516

What would that look like? I guess I could try adding overloads that take regular methods, I'll have a stab at it. As for captures, yes I've been caught out myself a few times.

Soji wrote "legacy application", I think it is not a mobile app, but a desktop one, which connects directly to a database.

This does not smell right to me. You're using inheritance to model composition, IMO. Your base object is a file. You don't really need to make a class around just a file. If you want to operate on two files, you don't do that by inheritance -- that's composition. You'd want a function that takes two files and compares them and returns some kind of result. You don't need a class for this either. Another function could take one input file and the diff data and regenerate the second file. In a typical Linux command shell, you'd use: diff -e file1 file2 >diff_f1_f2 You also have directionality, so you could go the other way: diff -e file2 file 1, >diff_f2_f1 These output files are called "deltas" and one is a "forward delta" while the other is a "reverse delta". The "diff -e" command gives you an output file that consists of a series of edit commands (for 'ed') that you can feed into it with the first file to get at the second file. ed -f diff_f1_f2 file1 > file2_again I'm hard-pressed to think how I'd build classes around these commands. You could have a file mirroring scheme that uses a LocalStore and a RemoteStore. Each store would keep reverse deltas, but the LocalStore would generate forward deltas to send to the RemoteStore to reflect the latest changes to a file without having to send the entire file. This makes sense -- this scheme is maintaining state by keeping the RemoteStore an accurate reflection of the LocalStore while minimizing transmission bandwidth. If all you're trying to do is visualize things, that's a little different, but you could think of the output as commands to colorize the text rather than edit it. You'd go one direction then the other and colorize each file based on changes needed to get one side from the other. But you're still not maintaining any kind of state, since the files are static and everything can be derived again at any time from the same input files. The FILES themselves represent the "current state" of their relationship that you're looking to visualize. The 3-way compare simply uses three files and does three (or six) different comparisons. A class implements behavior and maintains state. There's no state that needs to be maintained here -- just some functions that take input files and generate output files. The same output is produced for the same input, every time. One could argue that the functions implement behavior -- yes, but they don't change the state of the underlying data. So it's just a container of convenience. This seems like a rather far reach to come up with a class design when it's of no obvious benefit.

If i understood right you have mobile application with service that is working in the background. That service should perform some request/response to a database? Here in this design you are missing crucial part and that is web application that will be hosted in the middle, web application code will be on remote server and nobody would see that code ( thats a plus, they basically cant crack it they can only imagine how that application is written although there are some other security concerns ). Your database credentials will be only in web application and only web application will be talking DIRECTLY to a DB. That is why u will be making a public interface that will be available to end user and that is called API ( APplication programming interface ). your API will be public and anybody could guess you api route for example ( www.mysite.com/api/customers ) One common way of protecting routes is to restrict them, example: www.mysite.com/api/customers <- this route is PUBLIC [ GET ] route. Anyone who visit this link will get list of all customers in your database in JSON format for example. www.mysite.com/api/otherRoute <- this route is PUBLIC [ GET ] route but this route will have middleware in between request and response. Middleware will check if PERSON who is visiting this route is authenticated, it is authenticated it will return data. Anyone who visit this link ( if is authenticated - have valid token ) will get list of all customers in your database in JSON format for example. You can basically put any logic in middleware, so for example if user is authenticated we will check if user role is ADMIN, if is we will return list of some stuff that only ADMIN can see. You got the point... Here is brief example how it should actually work behind the scenes. User visit some api route or application itself visits it ( for example www.mysite.com/api/exampleRoute ). Webapplication is checking request, it is first checking if it is POST or GET request, it is checking also for Request parameters that are passed with request and all other stuff. If validation, middleware and all other stuff pass webapplication will connect to a DB and retrieve requested data and return to end user in JSON or some other format ( usually its json ). If validation fails webapplication will not talk to DB and it will return error response for example. Note* Web application could be written in basically any language ( PHP, node js , delphi , python , c....etc... ) I personally use PHP, Laravel ( PHP's Framework ) node and i know little bit Java/Spring... ************* JSON web tokens ( JWT ).. JWT's are lightweight implementation or u could use Oauth or Oauth2 implementation but those are more complicated and heavier.. For any of this implementations you have REST debugger in Rad Studio to help you and give you nice GUI interface instead of writing code on ur own.. NOTE* If you dont know php,nodejs,python and you dont know how to write api's and stuff i mentioned in this post you could use public API's. There is a big number of publicly avialable api's , crypto apis,weather apis or even twitch api. I used twitch api for my desktop app that tracked list of online streamers and some other stuff.. https://jwt.io/introduction/ <- here u can read more about JWT's i can add that JWTs are stateless so with every request you have to add them as a parameter so server can check if that token is valid,blacklisted etc... NOTE* when i say stateless i mean there is no actual session on web server that is attached to particular user.. So when webserver validate user credentials and return JSON web token you could store that web token anywhere. If we talk about websites ( I am sure that you can open local storage on your web browser and search for tokens from some particular web sites that you use ). So you could ask now " What will happen if someone steal ADMIN token from ADMIN's browser local storage and send it with request and perform operations THAT ARE ONLY RELATED TO ADMIN " ... <- This is possible scenario , but on webserver-database end you could put field in database that will check IP, request user agent and client, if those parameters dont match with previous request it means that someone have stolen token and trying to send request with ADMIN token from different device/browser etc so u could possibly limit it or destroy token or prompt login page again... I am probably talking too much and confusing you so i will stop ... Anyway ur question was where do I suggest to save password for a background service? So u are not saving users password, you just prompt login screen so user enters his username and password and perform [ POST ] request to some of your API routes ( for example www.mysite.com/api/login ), if everything is valid you will get JSON web token from server. You save that token. Tokens could have expiration date, that expiration date is set where JSON web token is created. JSON web token that will be sent to user is created in web application.Web application and it's code is running/stored on remote server. So everytime when background task perform some request it will grab Token and send with request. web app validate that and give proper response. If token is expired web server will give a "expired" response to your task. So your task is going to receive response , if response is " expired " it will give notification to user to log in again so he could get new token or something like that. If there is no need for particular data to be accessed from users that are authenticated you can just make a public route i explained that in the top of the post "www.mysite.com/api/customers <- this route is PUBLIC [ GET ] route. Anyone who visit this link will get list of all customers in your database in JSON format for example." You wrote post here saying " Encrypting a string or password is easy, harder is how you protect the key used for the encryption. " In scenario that i tried to explain "key" used for encryption is on remote server, and nobody knows about it. SO that key will check against token that is sent via request.. Also search for terms "Personal access token" it is used in almost any app

The one and only way to do this is how i described .. what i told you is best practice and how it is done, there is no other way "We use an config file to store the database connection string". <- this is bad , security risk, it is unacceptable "We are thinking about encrypting the connection string". <- this can be a "solution" but u will never be sure that you are safe Is there any best practices to keep the connection string information safe? People can give you ideas and solutions how to encrypt string but you will still not be safe 100%.. From what you told us about your application i can see that it is not that big and that u already have hosting for database. That said u can just put some php code there and make api .. U can even make api in delphi

If hackers are in your memory space, the game is over anyway. If they are using plaintext now, the focus should be on encrypting the data at rest and ensuring it's protected in transit. Some discussion about Delphi specific solutions: https://stackoverflow.com/questions/8621441/what-protection-scheme-for-my-passwords For securing strings in memory: https://medium.com/@svanas/creating-a-securestring-type-for-delphi-part-1-e7e78ed1807c

What do you think this does?

No, that's perfectly valid. But why don't you decleare RecPointer as ^TIniRec and save yourself the typecasting? Or are there pointers to different types? If the latter, why do you use records instead of classes? Actually I don't think this should compile: TComparedData = record PointerRecType: TRecType; // this identifies RecPointer as TINIRec RecPointer: Pointer; // Pointer to TINIRec ... function IsSectionHeaderLine: boolean; end; function TComparedData.IsSectionHeaderLine: boolean; begin Result := false; if RecPointer <> nil then Result := TINIRec(RecPointer^).IsSectionHeader; // <-- this should not compile as RecPointer is an untyped pointer and therefore RecPointer^ is undefined. end;

Hi, Some might already know Delphinus. But for those who don't i thought i make a little introduction post, to have a thread for discussion, as I never made one for the international Delphi-Praxis. Questions are always welcome. Delphinus is an opensource Packagemanager for Delphi, which I started in 2015. It has support for Delphi XE and newer. In addition to an IDE integration for package-management, Delphinus comes with a commandline, too. This has the benefit of having a single interface for managing multiple IDEs or run setup-scripts automatically. Currently, packages are provided through Github by preparing a repo to appear in a special Github-Query Delphinus uses to detect packages (See wiki link below). For optimal use, you should add a OAuth-Token to the Delphinus-Config(See wiki link below). Otherwhise you'll hit rate-limits. Offline installation from a folder is provided through the IDE-UI(Folder Symbol). Adding support for creating local folder based repositories for mirroing is planned. Delphinus packages have support for: Copying (source) files Compiling and (if Designtime) installing BPLs Compiling and installing IDE-Experts setting up Search/Browsing path Dependencies to other Delphinus-Packages Optionally, BPLs and Experts may be included as precompiled binary, if your project is closed source. Packages are installed per IDE. I'm working on per project installations. GithubRepository of Delphinus: https://github.com/Memnarch/Delphinus Wiki: https://github.com/Memnarch/Delphinus/wiki My Blog were I (in addition to ther Delphiprojects) post updates about Delphinus: http://memnarch.bplaced.net/ Websetup: http://memnarch.bplaced.net/blog/delphinus/

btw. did also a benchmark of Indy based custom Httpd (Soap, Webbroker) and Linux version is 3x more performant (ClearLinux) than Windows patched with Intel Performance Libraries.

ok, I was unable to tune apache for massive load testing, also changing the settings in conf files. Seems that a limit of 150 concurrent users is set somewhere (or a syn flood protection probably). Anyway the performance until limit reach is great. We need that Embarcadero should add FAST-CGI to webbroker, so to bind Nginx, Lighttpd and other modern httpd non-blocking-IO (and largely scalable). I ask this to quality central. Let'see. Kind regards.

I guess you meant "Congratulations LLVM team!" 🙂