Search code examples
phpinno-setuppascalscript

Inno Setup password verification via HTTP Post

Can someone help with password verification in Inno Setup, I currently have the below Inno Setup code (found on this site), what I would like to do is check the password against a password held on the server.

I have a PHP page containing MySQL code to check the database and if the Password is found it will send a response of ‘Correct’ If the Password is not found it returns ‘Password Denied.

I think the issue is the setup is not sending the password in the WinHttpReq.Send (password) section.

I have included the Inno Setup code and the PHP code below.

If I put a genuine password in the code WHERE password='genuine licence' I get the correct response and the install continues.

function CheckPassword(Password: String): Boolean;
var
  returnvalue: boolean;
  WinHttpReq: Variant;
begin
  result := false;
  MsgBox (password, mbInformation, MB_OK);  //show entered password before send
  WinHttpReq := CreateOleObject('WinHttp.WinHttpRequest.5.1');
  WinHttpReq.Open('POST', 'website.php', false);
  WinHttpReq.SetRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
  WinHttpReq.Send (Password);

  if WinHttpReq.ResponseText = 'Correct !' then
    result := true;

  if WinHttpReq.ResponseText = 'Access Denied !' then
    result := false;
end;

And the PHP code

$password = $_POST["password"];
$sql = "SELECT * FROM clients WHERE password='$password'";
if ($result=mysqli_query($conn,$sql))
{
    $rowcount=mysqli_num_rows($result);
    if($rowcount ==0)
    {
        die("Password Denied !");
    }
    if($rowcount==1)
    {
        die("Correct !");
    }

I would eventually like to send two bits of information for verification but I would like to get the above working first.

Will be very grateful for any help.

Solution

    1. Where's the server host name? How could this possibly work, if you do not specify, where the password should be sent to?

      WinHttpReq.Open('POST', 'https://www.example.com/website.php', false);

    2. You send the password as is. While you specify the Content-Type to be application/x-www-form-urlencoded. This content type has a specific format, that must include an argument name at least. How else would PHP know that the field is named password?

      WinHttpReq.Send('password=' + Password);

      But to make this work correctly, you also have to URL-encode the password.

      Easier might be to write the password as is (as you are doing already) and read a raw request data on the server side:

      $password = file_get_contents("php://input");

    3. You really need to protect your server-side code against an SQL injection.

    4. You should be sending a checksum of the password only for security. E.g. using the GetSHA1OfString.

      Side effect is that with the checksum, you do not have to care for URL encoding, as the checksum won't contain any special characters.