#1 Re: mORMot 1 » Delphi 10.4, Zeos 7.2.8 Stable and MySQL with Mormot 2020-11-09 » 2020-11-15 12:05:55

Hi, Thanks for the comments.

I've downloaded the 8 version at your suggestion.  I hope to play with it in the next few months, but for production purposes I think I'll stick with what works - using 10.3 + libraries which appears much more solid at this time and is still quite recent.  There is no compelling reason to upgrade.


#2 Re: mORMot 1 » Delphi 10.4, Zeos 7.2.8 Stable and MySQL with Mormot 2020-11-09 » 2020-11-13 01:24:02

I've gone back to Delphi 10.3.3 and all works correctly now. 

I was trying 10.4.x with all the software updates offered by Embarcadero.  I thought by now they would have worked out the kinks.  That assumption may have been wrong, because I've never seen a Mormot error like that, and it sounds like you hadn't either.


#3 Re: mORMot 1 » Delphi 10.4, Zeos 7.2.8 Stable and MySQL with Mormot 2020-11-09 » 2020-11-12 17:47:56

Yes, I cut and pasted it exactly, and noted that it looked weird on the screen with the ' "ID ' part.


#4 mORMot 1 » Delphi 10.4, Zeos 7.2.8 Stable and MySQL with Mormot 2020-11-09 » 2020-11-12 14:41:18

Replies: 6

I recently upgraded to the latest Delphi, Zeos 7.2.8 stable and the nightly snapshot of Mormot 2020-11-09

My version of MariaDB has not changed, but the behaviour of the Momot app did.

I can no longer connect correctly to MariaDB/MySQL based Databases. 

ERROR: leaving 2 on Error SQLITE_ERROR (1) [Step] using 3.33.0 - TSQLRestStorageExternal.Create: TSQLAuthGroup: unable to create external missing field AuthGroup.Ident - SQL="ALTER TABLE AuthGroup ADD Ident varchar(50) character set UTF8 NOT NULL UNIQUE"ID)), extended_errcode=1

This is after Mormot already creates the AuthGroup table on MariaDB and Ident is perfectly good.  I tried deleting the table and it recreates but gives the same error.

I suspect the Zeos library. I was wondering if anyone had any recommendations for a known-good working Zeos library revision for Mormot with MySQL/Maria DB.


#5 Re: mORMot 1 » Penentration testing / Pen testing » 2020-05-26 20:51:58

Hi Bob,

I purchased SMS for two years too, and did a bake-off to decide which I prefered before settling on EWB.  But my observations from that time are dated wouldn't be a fair comparison as each product has grown significantly since my evaluation time.  I know TMS also do nice things, I did own licenses for several Delphi components of theirs for a spell until I wrote my own replacement components.

I've known people who use each of these with RemObjects or Mormot, and many other open tools.  The interoperability and source code-access let you pick something that fits your budget, your scabability, your comfort zone, etc.  And that's great, more power to you.

There's so many good development models today - yet so many people are sure only THEIR method is officially sanctioned by the Gods, or Microsoft, or whomever.  I just got an earful from someone telling the client that anything not based on .Net is not valid.  Idiot!  Sure it's one choice, but to dismiss all others as invalid...


#6 Re: mORMot 1 » Penentration testing / Pen testing » 2020-05-21 03:09:59

macfly wrote:

I have a little pessimistic thinking about using pascal to create web applications (javascript / html).

Tools like eslint help a lot to avoid errors in javascript.

And there is TypeScript that has become standard for who need a typed language to make the transpiler.

Using proprietary software such as TMS Web Core and EWB makes us dependent on updates, and the resources they provide.

I believe that the best way is to create the front directly in Javascript / HTML. There are many options, like Vue, React, etc.

And you will always get professionals to work with these tools.

Sure Coffeescript and others are big improvements over JS.  I think anyone trying to do a big project in just pure JS is out to lunch, just like doing Asssembler for the whole project, it doesn't make sense.  JS programmed code is too buggy, and not typed, etc.  The proejct will not scale well.  You need a typed language and the benefits of a well designed library.  Save the hand coding for the few bits that are hard to do or time critical, but use a good language and toolkit for the rest.

You didn't say it, but I think you are hinting at marketshare.  Which is kind of  funny on a forum of Pascal developers.
Consider is Java... remember when it was the coming king and everyone was bowing down to it.  Oracle bought the company and turned against everyone.  All your Java code and skills... suddenly with the new costing model it lost Google's support and others.   Wrote your whole app in Java, sorry to hear that

The life cycle of so many development kits is short.   Microsoft has abandoned several over my lifetime.  Silverlight, MFC, I cannot remember all the false starts and promises....

We developers sometimes dump on Delphi, but i've got 30 year old Delphi code which has been recompiled and is being reused to this day. 

Just as Delphi code from 30 years ago is largely reusable today, knowledge you have of the VCL/LCL is largely portable to EWB and that saves you effort today, and the EWB library itself has been quite stable for a number of years.

Is it viable for the long term?  There is no guarantee for any technology being both maintainable and long term supported.  JS itself is not maintainable.  Certiainly PHP is not stable - we're constantly rewriting PHP code to support new versions.   Java doesn't offer cost stability.  And half the environments people use today will be gone in 5 years.

I'm not trying to disprove you, I'm only saying nobody knows the right anwer.

#7 Re: mORMot 1 » Penentration testing / Pen testing » 2020-05-21 02:46:29

Junior/RO wrote:


Is Tim Young/Elevate Software updating Elevate Web Builder?

#8 Re: mORMot 1 » Penentration testing / Pen testing » 2020-05-21 02:44:46

Junior/RO wrote:


Is Tim Young/Elevate Software updating Elevate Web Builder?

Yes, there is a version 3 coming out sometime, it's in beta right now.   I'm not sure how long before it will be released.


#9 Re: mORMot 1 » Penentration testing / Pen testing » 2020-05-20 13:51:11

Hi, I have completed a new book, but it's more focused on a specific situation.  I felt there is now ample free material about mormot, but where I've invested a lot of time in the last few years was building a really good dev environment using Elevate Web Builder with mormot.

The benefits of using EWB is that it gives you a totally Pascal environment, which compiles to JavaScript.  The days of cross compiling to Android/IOS/OS/X LInux, etc are gladly mostly gone for me.  And the distribution nightmare.  EWB produces nice Web apps (or PWAs if you want to install on a desktop/android/etc/) and my users are preferring them to having to install native clients.  It also means I know everyone is running the current version.

With a modern web environment, you have something that produces an experience very similar to usual applications.  But without the nightmares.

In the book I cover external authentications (SAML, OpenID Connect, etc.) when used with EWB + Mormot.   Also how to avoid most web attacks (Cross Site Scripting, Cross SIte request Forgery) which most Mormot example JS scripts are vulernable to.

You can read more about it at https://www.erickengelke.com

But the average Momrot user looking to make Thick PC/Android/IOS/MacOS clients will not benefit from it.


#10 Re: mORMot 1 » blocks limit of 32 arguments » 2020-01-28 14:05:24

Sure, nested JSON will solve my problem.   SOlutions right in front of my eyes. Thanks.


#11 mORMot 1 » blocks limit of 32 arguments » 2020-01-28 08:01:28

Replies: 3

When passing data to remote functions, you often have a lot of data to send.

With Mormot, the design decision was made to limit you to 32 parameters per remote function.  I can see that when memory is limited. 
But with modern 64 bit systems, I find this artificial limit is often frustrating.  Now I have to make 3 or 4 API calls per page to update
the data from one HTML web page to live within the 32 parameter limit.  I dread every time someone asks for another new field.

The size of 'blocks' is hard coded at 64 entries, would it break things if I were to double or more  that on 64 bit systems?    The code uses High( blocks ), so I'm hoping it would be able to handle any power of 2?


#12 Re: PDF Engine » OpenData format to PDF » 2020-01-28 02:57:49

I couldn't get Encryption to work, it wouldn't even compile.  I'm probably missing something simple.  I would need encryption, so any suggestions welcome.

The only supported attributes for the library are bold, font-size and tables.  Sorry, that was all I needed for my application. 

I just whipped it up in a day so it's a bit rough, but there are at least no memory leaks for the example ODT file.

I only tested on Letter sized paper.  The margin defaults are hard coded for Letter for now. 


#13 PDF Engine » OpenData format to PDF » 2020-01-28 02:56:06

Replies: 1


SynPDF is great, but I didn't want to spend time programming the page layout.  So
I created a tool which creates Rich PDF documents suitable for mORMot database applications using simple Word processed templates.

You or your client creates a template for the document in Word or almost any other word processing document.
It can include different font sizes and bold, as well as tables.  Save it as an ODT file.

Then use ODF2PDF to read that ODT file, perform a mailmerge replacing data like names, etc. in the file (variables are defined as %%variable%%) with your application-defined values, and write out a PDF file, or save to stream in the case of a web server.

This is still an early version, I haven't added JPEG support yet for example, but it may prove useful for others.

You can download the souce and sample at http://www.eng.uwaterloo.ca/~erick/odf2pdf.zip

It uses SynZIp and SynPDF as helper libraries.


#14 Re: htm2pdf » htm2pdf dll » 2020-01-27 12:55:35

True, but I decided on a more elegant solution for my particular needs. 

I wanted a way so that end-users could construct forms using Word etc. and I could automatically fill them in.  Up until now I've used HTML with my own mailmerge on the HTML text file.  But the client wants PDF output... I was thinking of using HTM2PDF for that as a fast solution.

But over the weekend I wrote an Open Document format parser and in real-time convert the document to PDF using synpdf after applying a mail-merge to stuff in the required data fields.   It's threadsafe.

I'll release it after doing more testing, it's only been tested on a few files so far.  And I haven't added graphics support, but I did implement tables.


#15 Re: htm2pdf » htm2pdf dll » 2020-01-24 00:29:04

I think I answered my own question.

First, I got it to compile with a few subtle changes... don't know where things went wrong before, maybe compiler at home is broke.

But the DLL idea probably wouldn't work because I have a feeling the graphical code cannot run in anything but the main thread.   

I'll look for another solution for my needs.  But it is certainly cool and could be handy.


#16 htm2pdf » htm2pdf dll » 2020-01-23 05:26:23

Replies: 3

The HTM2PDF module is very impressive, it does a beautiful job.

It would be nice if it could be compiled to a callable DLL, so we don;t have to add the TViewer module, which is not AMD + modern Delphi compatible.  I spent two hours tonight trying to convert it to Delphi but failed, the FreePascal differences  are quite challenging..

 But I guess I can run it as a standalone Executable.

Another nice option would be a flag to encrypt the PDF if encryption works again (I see others have commented that it doesn't in the latest build).


#17 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-22 00:27:01

I read that the Nano server was practically killed by the change to only support containers back in 2017.
Google death nano server for details.


#18 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-21 04:30:20

Certainly no VCL or FMX.  Also, I'm not guaranteeing it.

It also cannot have createasconsole() as some of the examples have.  And there are a few other functions that might not work.  And some external DLLs might not load.  And I don't know about any ActiveX related functionality.  Also you have to observe rules of the Posix system, such as not using protected ports, etc.   

So you will have to test it yourself, but I'm saying it's doable with only minor effort for a large number of mormot programs.  YMMV.



#19 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-20 22:30:15

edwinsn wrote:

Hey Erick,

The result is very much impressive! Do you have a link to any good article that you can suggest, mostly about two things:
- Install WINE from Linux console that's hosted in a remote VPS
- Get a mORMot app run by WINE.

Hi, I'll try to answer the questions posed.

VPS?  Should work, I can't see why it wouldn't.  In fact, I installed it on my development VM  over a VPN from home on the weekend, so that's effectively like a VPS.

Wine DOES require root permissions to install, normally, because it puts shared libraries, etc.  and the wine64 loader program into /usr/local.  So if you have root permissions of your computer or VM, you can install it.  For mormot applications, you do not normally need X windows to be installed or running.  So console root shell is generally sufficient.   Current Wine binaries are readily available, you don't need to MAKE the installation, and disk requirements are minor.  Yum or apt can be used.

The applications are all unprivileged, running as the current effective user.  It does not emulate a Windows computer or the Intel processor, like VirtualBox or similar do which use VT instructions and ring3 - your code runs natively on the Intel/AMD cpu without ring changes or device drivers.  Wine simply translates the Win64 API functions to Posix functions as it executes. 

I say "simply" because the system is not managed by device drivers and complicated ring transitions - I'm coming from a lifetime of writing deivce drivers which would do that.  Inside the wine DLLs there is certainly is a good amount of cleverness to emulate the registry, map in 'virtual drives' C:\ and Z:\, etc.  But these are all predictable user-mode translations.  Look in ~/.wine for the virtual registry, virtual drive mappings through symbolic links, etc.  Can you imagine, a worderful ANSI based registry you can parse with grep!

Many 'changes' to your environment, such as hiding error/warning messages spit out by the wine64 can be managed simply with environment variable switches.  However, I would say changes are not required for many or most mormot programs unless you want to hide the few warnings at startup and shutdown time.

The regression test fails on a few matters, (like HTTPD.SYS), but also because Unix is more cautious about somethings, like allowing TCP ports to be opened below 1024, etc. that Windows allows.  Another issue not handled as well is memory mapped files.  If you do them, you will want to test and read up on the subject.

I can vouch that Zeos and sqlite3 databases worked perfectly for me.  But I don't know that Window's file locking is translated to the posix level, I kind of think it is just emulated at the process level and applicable to only the current process.

Earlier I showed that wine64 is 10 times less CPU intensive than running Windows 10 VM.  I should note that I did not tune the systems or prune any processes in the installation, so Win10 was running all the annoying little services enabled by MS by default, just as my FreeBSD VM was.

The fact that you aren't running any extra services probably does reduce your attack space compared to having a whole Microsoft OS VM loaded.

Something that is available, but I haven't explored, is that you can link Wine's dlls directly into your binary, and thus ship a read-to-use Linux, etc. programs that I BELIEVE does not require Wine to be root-installed.  I don't need this functionality so I'm not going there, but maybe others with limited shell accounts might want to investigate further.

#20 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-20 00:23:47

One more thing of interest: some people may be running Windows VMs to host the Delphi Mormot applications.  At least I am.

I addition to the Windows licensing cost, you would wonder about the physical resources required with Wine versus Windows and whether the API conversion layer slows down your system.  It's a reasonable assumption, right?

I conducted these tests at home, running on a Virtual Box system hosted under OS/X, latest version, with SSD and 16 GB of RAM.  There was no swapping as I made the VMs sufficiently large.

I set up a Windows 10 VM with 10G of RAM, 2 cores and sufficient disk space for Windows, a mormot App and MySQL. 

Then I set up a FreeBSD VM with 2 GB of RAM, 2 cores, Wine, the identical mormot app binary and MySQL.

For my tests I moved both VMs off screen, so there would be no video updates interfering with the performance (that makes a difference), and there were no flashing cursors on the VM.


Windows:  33% of CPU, 138 MB  RAM
FreeBSD/Wine: <3% of CPU, 113 MB RAM

So while memory usage was near identical, Wine was 10 times more efficient with CPU than hosting a Windows 10 VM when idle.  Even with light usage, the numbers did not change.  I ran the tests for a half hour, just in case Windows was downloading updates or something, but no changes happened.

I still need to determine the resiliancy of the image, but so far everything is looking good.


#21 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-19 12:51:47

edwinsn wrote:


Thanks for keep sharing, it's very helpful!

Re the msvcr100.dll issue, is it a license one? I mean, MS doesn't allow installing msvcr100.dll on non-MS OSes, right?

BTW, I assume Linux is much much more popular then FreeBSD nowadays, I'm just out of curiosity - why do you prefer the latter?

msvcr100.dll is used for ... I believe... MS Visual C compiled DLLs in multithreaded environments.  I think you need to run the MS installer for msvcr100.dll, and I believe it checks compatibility with 'genuine' licensed Windows.  I didn't explore further, because I found alternate libraries which didn't require msvcr100.dll, which was a more attractive solution to me.

Since you are curious about FreeBSD.  Please take all the following with a grain of salt, I don't speak for FreeBSD but I have used it since Version 1.0.

The choice is really six of the pros and a half dozen of the cons.  A talented computing professional can work as easily in Linux as FreeBSD.  The real answer is history, we ran FreeBSD before Linux was reliable and popular, and there is some inertia and a large infrastucture with little reason to change, but also other things I will describe below.

In web servers in 2019, there were 1.2 billion sites and many more private servers.  Linux had about a 70% Web market share, FreeBSD had a 1% market share, but it's still in the order of Millions of installations when you realize all the routers, servers, VMs etc.   But that's not a complete picture, Linux is fragmented among its adherents so each distro's share is less than the total 70%.  I don't know the breakdown between Linuxes today, it's not possible to tell from Web site visits.

Having set up numerous Linux systems, there is an occasional bit of frustration that programs you want are not always readily available for your distribution.  They have to be ported due to differences in the distributions. Sometimes you need a RedHat, sometimes Ubuntu, sometimes Raspberian, etc., and sometimes specific versions.   And sometimes you end up running multiple versions of the OS for different applications because you gave up after hours or days of trying to port it.

FreeBSD offers a few advantages (and a few disadvantages).  It offers ZFS as the primary stock filesystem and OS jails which run read-only virtualized versions of FreeBSD where root is not really all-powerful, and BHyve virtuatlizaiton of any OS, and there are certain other features that are available because of its licensing that don't allow stock in GNU licensed products due to copyleft.  But where it is also nice is that everyone running a particular version is compatible with all the packages - you don't have the same splinterring as in the linux community.

There is no perfect OS for compatibility.   But with virtualization, who cares, we can run them all.

I find some linux distros are bleeding edge, with alpha quality drivers frequently showing up for bleeding edge hardware - so they run on the widest selection of hardware, but at the cost of reliability.  Others linuxes are very conservative, like RHEL (I believe), which presents other issues as we couldn't get it to work with some packages that are too new.  FreeBSD has a slightly different balance, not running on the most esoteric hardware, not having the most packages available, but reasonable compromises on both.

If you hand pick your hardware and sofware (which you should for any server), you will probably find no difference between the BSDs and the Linuxes for speed or reliabilty.  And if you are a complicated site, you probably have several different Linux distros virtualized for some compatibility, and indeed, we run a few linux VMs, its just easier that way. 

Mind you, we use a common file server and the virtualizaiton lets us use one firewall ruleset for all VMs, which makes it simpler than rememberring each OS's firewall rule languages.

Don't believe speed tests, people are always comparing the two and each release from both FreeBSD and Linux are faster and better than the last.   The tiny margin one has over the other is short-lived.   And I believe the friendly competition is good for the community to strive to be better and constantly innovate, but in reality they share so much from the development community and cross pollination.

So FreeBSD is not a worse choice, and not a better choice, just a reasonable choice.  There is no one Linux which can serve all software needs, or we would all migrate to it and that would be the end of all other distros and FreeBSD.


#22 Re: mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-19 06:10:45

I had coded some huge apps in Delphi, and redoing in FreePascal would be challenging for a number of reasons.  Even FreePascal/Win64 was a big hurdle and would be weeks or months of recoding by my estimate due to libraries and languages differences, and then more weeks to resolve Library differences on Linux, all this is extra time I don't have on a tight schedule.

So it becomes a question of how does one best spend their time. 

Mormot + Wine may not be as efficient as native, but most apps don't need the killer performance of the microseconds that will be saved in not going through compatibility layer.  The apps I'm referring to have hundreds of concurrent users not thousands.  I haven't timed the variations, but I'm not convinced its any slower than native Windows server, FWIW.  The question is not raw performance but reliability, and only time and testing will tell.

I will say: Delphi - for Windows - is very mature and is not undergoing frequent fundamental changes that break code compatibility.  FP version hell is real, it can be a pain trying to match all the components for compatibility.  I have struggled to get FP + mormot + zeos and Linux all to co-exist, I spent a whole day trying, retrying, etc., so this offers a faster entry.  I hope in the long term that FP version stability will be resolved, but right now you cannot use FP/Current with mormot and zeos and linux, I believe, you have to back track a few releases. Correct me if I'm wrong about that.

Also, as a personal preference I'm more comfortable in the Delphi debugger on my workstation.  And debugging in Delphi may not solve all your FP errors when you recompile and port to another OS.  In contrast with compiling with Delph+Windows going to FP+Linux, Wine is like just like a slightly different version of windows, not unlike developing on Windows 10 and deploying on Windows Server.  It's not as much of a leap.

The Wine developers request that we not detect and react to Wine, they'd prefer we tell them any problems and fix any API differences.  There is an API call to detect Wine, but they request you only use that for gathering statistics or to debug your clients' problems. 

As for debugging natively on posix, I'm not sure yet.  You need to separately install win32 and win64 versions of Wine, because the universal delphi PAS server program is a Win32 program.  And so far I have only installed Win64 support.  I don't know if they install a device driver under Windows, haven't looked.

To answer Ab's question. I doubt the IIS emulation is ported, I only tried socket based calls as that seemed reasonable to me.

FWIW, the same mormot server applications also work under ReactOS iwhich shares some code base with Wine.  I don't recommend it for production because it's still an alpha release and I believe it might only be Win32.  But seriously, it's not unlike a JavaVM for your Win32 code, how cool.  It may be useful for tiny 32 bit embedded computers - I ran ReactOS for 24 hours of mormot with no problems.  YMMV.

One thing that doesn't work under Wine is the CData delphi extenion code.  It looks like they have loader code which fails, possibly due to copy protection.  You can't even load it and exit on the first line of your code.  This is a shame because it would offer easy support for cloud app integration.  I haven't invested a lot of time to debug it.

While your Win64 code cannot natively call Posix libraries unless you write some integration code, you can easily connect them by using HTTP/PHP/etc. or probably named pipes or similar.  I have verified that you can do the HTTP/PHP integration for certain.   Likewise, you can ps list or kill Win64 processes or restart them from Posix shell.

Here is the result of porting a somewhat complicated 12,000 line Delph/mormot/mariadb program. it took about an hour to get it to run under Wine64, it would have been faster but I had to rewrite the code to not spawn a new console, I had to remove and replace a DLL that requires msvcr100.dll which is cannot be installed on non-Microosft OS's, and I ran into the following permission bug that was a bit elusive.

While Mormot itself runs nicely as any unprivileged user - just as you would expect, I ran into one issue which took a while to determine but is easily addressable: the libmariadb.dll DLL file I was using for Win64 MariaDB connectivity only appears to work for userid root and not for unprivilegesd users.  Exactly why I don't know, it may be resolvable at the Win64 level.  Anyways, a quick FreeBSD solution to this problem is FreeBSD Jails, which a padded container-like feature that gives a read-only protected copy of the OS so the jail's root has almost no power, or I could run a single-purpose VM which is not quite as secure but could only expose itself.  Under Linux there would be numerous virtualization options for sure.

I will be sure to test this mormot program extensively, Ibut was pleased with how little need to be changed. 

BTW, if you have mastered FP, then all the power to you on native Linux, I'm not trying to dissuade anyone from native support, just demonstrating options available for those of us with special needs using the beauty and power of proven Open Source Software.

#23 mORMot 1 » Using Mormot on FreeBSD, Linux, etc. with almost all your windows libs » 2020-01-17 21:16:15

Replies: 31

Hi All,

I was facing the daunting task of converting a lot of mormot applications to Linux.  The cost of Windows Server licenses and the updates were big factors, and also the freedom of not having to maintain more difficult Windows VMs.

However, there were a lot of libraries I have that aren't compatible with FreePascal's dialect let alone with Linux, and also my site is heavily invested in FreeBSD.  So Linux conversion looked very challenging but not even the desired final result since I would prefer FreeBSD.

On a whim last night I tried Wine on FreeBSD (results on Linux should be same), and my mormot apps took less than an hour to convert to work.  Actually, mormot itself worked right away, but I had to change a few other bits I use.   They've been running great for 18 hours without incident.

For the uninitiated, Wine is a Win64 compatibility layer that loads Win64 applications on Posix operating systems and translates the Win64 apis to Posix apis allowing them to run under almost any Unix.  All I needed to do was run pkg install wine64.  You can run your Win64 console binary from a script or shell.

While native Linux support has great merit, the Wine  solution means you can continue to use the Delphi compiler and debugger (on windows dev system), and many Win64 libraries, I used it with MariaDB's DLL to talk to MariaDB (MySQL-like database) running natively on FreeBSD.   My other libraries talk to Office365, etc. and would have been a pain to convert.

Some libraries do not work with Wine, because they require Msvcr100.dll which you cannot instsall on a non-MS OS.  But many work fine.

The hosted mormot app does not seem to be using many memory or cpu resources, not more than you would expect under Windows.  You don't need to run X Windows, it works fine without it.

Just thought I'd share that in case other people had similar need for Delphi or 3rd party library support and were unable to move to Unix for those reasons.  You probably can, for free, with Wine.

For the interested, there are two things that look like they are only stubbed in, and these may affect you but they didn't for my applications.  NTLockFile looks stubbed, and also native language support, I think it defaults to English... but not sure.


#24 mORMot 1 » Missing file: 'eccwin64O2.o » 2019-12-18 00:45:54

Replies: 2

Hi, Trying to compile from the latest mormot, on Delphi 10.3.3 for 64 bit Windows I get
[dcc64 Error] SynEcc.pas(1903): E1026 File not found: 'static\x86_64-win64\eccwin64O2.o'

I don't see any eccwin6402.o file  anywhere in the package, and a web search turns up nothing. 


#25 Re: mORMot 1 » Penentration testing / Pen testing » 2018-12-21 04:07:23

I got the security audit report yesterday.  I spent Wednesday patching up the few remaining issues. 

The good news is that:
  1. Mormot marshalling of data appeared to work perfectly
  2. The IBM scanners could not get at data not intended for it, nor could they break the database
  3. Momot application survived an onslaught of hacking wisdom

But to get to that state I had to harden it beyond what is stock or it would be vulnerable to a large number of attacks.

The things I had to address before and/or after the audit were XSS, XSRF, content policies, XSS headers, cookies, etc. etc.  I'm updating my examples to include all the tidbits I've learned.  I will complete this over the Christmas holidays.   

I will document them in the 3rd edition of my book.  And I will, as always, send a copy to AB.    Copies of the software will be available without requiring a purchase, but I encourage one to buy the Ebook to gain full knowledge, and also to help sponsor the work.


#26 Re: mORMot 1 » Penentration testing / Pen testing » 2018-12-07 03:01:28

FYI, the end-to-end software penetration testing is being done against my system for about five days from Dec 6  to Dec 11th, with a report to me to follow sometime later.  They are using the IBM AppScanner automated testing solution.  Of course, I will share results with this community. 

https://www.ibm.com/us-en/marketplace/a … header-top

#27 Re: mORMot 1 » Delphi 10.3 - Linux platform support » 2018-11-25 23:38:01

http://blog.marcocantu.com/blog/2018-oc … tions.html

This is very positive news.  I would really love Delphi support for LInux with mormot together. 

#28 Re: mORMot 1 » mORMot and Elevate Web Builder » 2018-11-22 05:39:08

As far as I have seen, I wouldn't be surprised if I've done the most with successful combined EWB+Mormot application building.  I've been doing that for almost 3 years now.

I've been working on new samples and a new chapter for my 3rd edition of my book which will demonstrate SIMPLE access to mormot from EWB.  The updated Ebook will be available for $20 US from my web site, or obviously more if you purchase a paperback version from Amazon.  BUT it's not ready yet.

It's been held up because I was also working on OIDC, CAS, SAML integration and CSS, CSRF avoidance and simplifying my examples to be more readable.

I realize mormot is OSS and EWB is not.  However, EWB only requires a purchase and does not require any addiitonal run-time licensing.  I see it as a practical way to support the primary developer.  Likewise, book sales are what fuel my efforts, so I appreciate when people pay for them.


#29 Re: mORMot 1 » Implementing OAuth2 » 2018-11-19 20:39:44

Almost, very close, I've got externalize authentication working for HTMl5/AJAX web clients.  I've tested it with SAML and CAS, but I do not have a production OIDC server to ensure I've got it all working perfectly.  My site is preparing an ADFS system which is in beta testing right now, and I hope to have completed against it by Christmas.


#30 Re: mORMot 1 » Penentration testing / Pen testing » 2018-11-15 05:01:32

ab wrote:

I don't use MySQL but I guess TLS could be used for communication, if it is enabled on the server.
Of course, it requires a private/public key pair to have been setup first.
Another option (which I have seen) is to have a VPN or SSH tunnel defined.

It is more a question for the Zeos/ZDBC forum support...

Thanks.  Setting it up is apparently a bit more challenging.

I think we may end up doing IPsec between the various points.  IPsec between two homogenous systems works great, but between different OS's is more of a challenge.  I think we might have to use the open source swan thing.

Thanks for your comments, Ab.


#31 Re: mORMot 1 » Penentration testing / Pen testing » 2018-11-06 20:59:17

Is there a way to tell mormot to encrypt the MySQL connection.  I'm currently using ZEOS as the Mysql driver, is that still a good choice.

Thanks in advance.  I still intend to write a summary here when we are done pen testing.


#33 Re: mORMot 1 » named parameters to interface functions » 2018-10-22 09:50:07

ab wrote:

Note that { "n1" = 3, "n2" = 4 } is not valid JSON.

The syntax is { "n1": 3, "n2": 4 }

Right, it was 4am here and so I mistyped.

I get errors, maybe it's because I'm using contracts with the correct JSON.

I'll try without.


#34 mORMot 1 » named parameters to interface functions » 2018-10-22 09:30:27

Replies: 5


I have a huge app written in ElevateWebBuilder - to - JavaScript which makes extensive use of interface functions.

But somewhere along the way, mormot changed how data can be sent to interface functions.  Before I was able to use named JSON variables
eg. with the calculator Example #14

{ "n1" = 3, "n2" = 4 }

Which was convenient because sometimes the order might be different, but mormot would marshall all variables to the correct input parameter.

But mormot has changed its input default to arrays (looking again at example 14)

[ 3, 4 ]

Is there still a way to pass names, so that I don't have to worry about order of parameters?


#35 Re: mORMot 1 » Penentration testing / Pen testing » 2018-10-10 22:43:51

I figured I should give an update.

As I said before, using externalized authentication CAS or OpenID Connect allows us to prevent leakage of passwords and use smart cards and cell phone apps to authetnicate.  Mormot's SHA256 password stores are sort of, maybe, okay today, but not for much longer as CPU power is always increasing, and not a good solution in a world that needs multifactor authentication to prevent users from leaking passwords.

When writing web applications, ie. Javascript/HTML5/AJAX, using cookies with the SECURE and HTTPONLY flag set is typically required to prevent cross site scripting (XSS) and cross-site request forgery (XSRF).  If you are writing a web app, you should not be just using mormot's otherwise good security, because someone in javascript can read the copy of the password in the browser's memory that you have to keep around for message signing.  And if you don't know, XSS and XSRF are big attack vectors that took out Facebook and others.

The HTTPONLY flag on a cookie means the browser does not expose that cookie to javascript.  Attacking programs cannot steal the cookie (except if the browser is super buggy), and so they cannot present your credenitals.  The secure flag means it will never be exposed using HTTP, whereas HTTPS or better or allowed.

In my implementation I use CAS or soon OpenID Connect to indicate logins to a server, then set a secure httponly cookie to the value of a JSON Web Token (JWT).   Before any packet is passed to any RPC's, my code uses Mormot to evaluate the JWT.  Encoded in the JWT is the userid, the time the token was issued, and the expiry time of the token, as well as some other info, and hashed with a mormot-supported crypto-hash function.  If the hash works using our secret, the cookie was set by a trusted server.  Otherwise, I return an HTTP error.  Offhand, I think I return 403.  Maybe there is a better choice. 

After the expiration time, mormot automatically fails the JWT token, and the connection is cut off, no more requests can make it through with out re-authenticating.

If you can imagine, the Javascript app is oblivious to the JWT knowledge, it cannot read it (due to httponly flag).  So it actually has to call an RPC of the mormot app called WhoAmI that tells it which userid it is logged in as.  That is advisory only, the actual login happend back when CAS or OpenID Connect were called.

There is also logic to allow logouts, because you need to register the logout or you would just be autologged in again, and could never change userids until the timeout happens.  So that was another hour of work.

My work is still being evaluated by a fellow with >10 years pentesting experience.  He usually finds flaws with everything, so I realistically expect him to find flaws with my work too.  Security testing is a humbling experience for the developer.

After we pass our tests (hopefully), I will bundle up what I've done.


#36 Re: mORMot 1 » Penentration testing / Pen testing » 2018-10-03 11:26:41

pvn0 wrote:

Thanks erick for your detailed input, the video looks awesome btw and gratz to your uni.

erick wrote:

More of a comment, the avoidance of cookies may not have been a good thing.  We will likely add in cookies for session checking, since browser cookies have advanced in the last few years so they can be issued but taught not to be browser readable - they can be set to just pass a opaque block of data.

The reason cookies are desired is a big concern in web apps is the possibility of cross site scripting, something which is obviously less of a problem for compiled binaries.  But I believe the present and future of applications like ours are web based applications that run on computers/phones/TVs without recompiling.

Have you considered JSON Web Tokens (JWT) ? documentation.

Absolutely.  OpenID Connect (which is our next step), is based on JWT.


#37 Re: mORMot 1 » Penentration testing / Pen testing » 2018-10-03 05:17:52

Oh, if you're interested in seeing what it looks like, the student part (the simplest part) is demonstrated here: https://www.youtube.com/watch?v=3JzjlOpC_vo&ar=1
Much more complex screens are available for staff to manage the students.


#38 Re: mORMot 1 » Penentration testing / Pen testing » 2018-10-03 05:07:36

> I'm very interested in this subject, I wish there was more information on this.

@erick, please let us know if you plan to release your findings.

Sure, I was distracted for a few days, I have other responsibilities besides coding.  We haven't gotten very far yet.

I'm the Director of Computing for the University of Waterloo's Engineering Faculty.   UWaterloo got in the news today because one of our faculty was awarded a Nobel Prize for Physics today, and so we're all in a good mood right now.

My security guy was not happy to hear there were no former pentests known or shared in the mormot group. 

Also, he had a couple of questions I'll try to relay here.

But first, my situation is this:

I have made no changes to mormot itself, STOCK CODE, but I'm not using it in the way most of you are probably doing. I'll explain what I've done, why, and will ask if anyone has suggestions to improve it or sees a problem.

My clients are all JavaScript written with Elevate Web Builder, as described in my mormot book.  Elevate Web Builder (or EWB) is a combination GUI library and pascal to javascript converter.  It is similar to TypeScript or CoffeeScript or Smart Mobile Studio.  And since the end result is Javascript, I think it will likely be no more or less secure than those other JavaScript based systems.  Sure, the result can be 'compiled' to unreadable obfuscated JavaScript, but then I know better.... I was one of many contributors to the Undocumented DOS  book series, so I know people love a challenge.

Rather than use mormot passwords, however, I use Centralized Autentication Server (CAS) which is a common SSO Single Sign On system popular at univiersities.  Probably shortly I will convert to using OIDC Open ID Connect.   Both of CAS and OIDC  are enterprise or inter-enterprise type Single Sign On facilities, more appropriate for an enterprise, also used by google and others.

The goal there: we don't handle passwords.  Since no passwords are gathered, they also cannot be leaked.  Furthermore, it means the system can work with MultiFactor Authentication, such as DUO, and does not require a separate login between sites.

So, upon a login, I pass the client a token to present to mormot going forward, that token's SHA256 is placed into the Mormot  password facility.  So we then treat that token like a disposable password.  At the end of the session, the account's cookie is set to an impossible value, so the session token no longer works.

The rest relies on mormot's own user accounting, group memberships, etc.

I hide mormot on an private address space,  IPsec'd connection to the private addresds MariaDB database and another IPsec connection to the Apache web server that exposes it to the world. 

Security is all about risk analysis and risk aversion.  So we've tried to take many positive steps, such as avoiding handling or keeping passwords, forcing user controls, APIs implementing business logic rather than pure REST access to data, principles of least privilege, etc.


Does anyone have evidence that doing the mormot handshake is any less secure when done by JavaScript? 

Has anyone done a cryptoanalysis of the mormot handshake protocol. 

More of a comment, the avoidance of cookies may not have been a good thing.  We will likely add in cookies for session checking, since browser cookies have advanced in the last few years so they can be issued but taught not to be browser readable - they can be set to just pass a opaque block of data.

The reason cookies are desired is a big concern in web apps is the possibility of cross site scripting, something which is obviously less of a problem for compiled binaries.  But I believe the present and future of applications like ours are web based applications that run on computers/phones/TVs without recompiling. 

I may come back with more questions, but we do hope to plug any holes we find and report back to the community.

I can be reached at erickengelke@gmail.com


#39 mORMot 1 » Penentration testing / Pen testing » 2018-09-13 17:07:10

Replies: 35

Has anyone professionally penetration-tested mORMot?   We are doing that right now and would like to look at any previous reports that would support it.

You can reply to me here or privately. 


#41 Re: mORMot 1 » Compatibility issue with FPC 3.0.4 » 2018-07-02 03:44:45

Hmmm, given the pointer to use fpcupdeluxe, I used it.  I tried to upgrade to 3.1.1 but it left me with 3.0.4, and indicated to add mormot, and still get the error when compiling.


#42 mORMot 1 » Compatibility issue with FPC 3.0.4 » 2018-07-02 02:40:14

Replies: 3

Hi Ab,

I recently decided to switch much of my server environment from Win64 to Linux, and began converting my various mORMot systems from Delphi to NewPascal as a first step.  If they worked under NewPascal I figured it would be an easier upgrade to Linux.  NP doesn't support Linux at this time, but it would force me to be FPC compatible and that's half the battle.

I noticed one compatibility issue with the latest SynPDF and NewPascal/Win32, it doesn't compile because there are the wrong number of arguments to the function which opens WMF files.  Just try to compile, you'll get the error.

Anyways I set up my FPC 3.0.4 environment with Lazarus 1.8.4 (I believe both are the latest) and yesterday's nightly mORMot build (June 30) on a Centos 7 system.  However, it can't compile any mormot app (eg. TestSQL3.pas) because I get an error that TypInfo.PRecInitData does not exist, on line 92 of SynFPCTypInfo.pas. Error: Error in type definition.

  /// some type definition to avoid inclusion of TypInfo in main SynCommons.pas
PRecInitData = TypInfo.PRecInitData;

I thought you'd want to know about this.  If I am not running the preferred Linux/FPC/Lazarus environment, please correct me.

Erick (Canada)

#43 Re: mORMot 1 » How reconnect to remotely DB » 2017-06-08 02:20:45

ken wrote:

Who can help me?

When you define props, set something like:
    props.ConnectionTimeOutMinutes := 5;

#44 Re: mORMot 1 » Mormot Book, eBook version now 1/2 price permanently, new source code » 2017-06-06 21:26:20

Yes, there is steady income and... expenses of course (computers, compilers, web sites, paper from drafts).  I do a fair bit of consulting already, most jobs are for people who have a big project and looming deadlines that have read a book of mine and just need a few hours to get them over a hurdle.  I also volunteer for needy programs.... real charities.

There are a lot of hours that go into every book, that's a big investment.  But then when people write me I answer most questions for free and with a smile.  I have a high uptake rate of customers buying a second book on a related subject.  I take that as a positive sign. 


#45 Re: mORMot 1 » Mormot Book, eBook version now 1/2 price permanently, new source code » 2017-05-28 05:46:52

There were a couple of questions sent by Email so I'd like to share the answers here.

Mormot and EWB are currently not large markets, no publisher would finance a project with that number of potential sales.  I'm hoping that my various books will help bring additional interest to these fine products, particularly in terms of new developers and management buy-in at companies. 

I chose Amazon for print because they offer trusted, fast world-wide distribution.  It is a non-exclusive contract, I can sell in other channels, such as my own EStore powered by PayPal.

Amazon charges authors a bunch of fees on book sales, and somehow the author actually makes less on Amazon Ebook sales - which is why you often see full prices for Amazon Ebooks even though it obviously should cost less with no printing or shipping required.  But they allow us to offer Ebook companions for $0, $0.99, $1.99, or more.  I chose to offer it as a free upgrade.

A fact of the world in 2017 is that various people have pirated the books within days of release, and that may seem tempting to some, but by offering a reasonably priced legal option, I'm hoping people will support those who work to help you.

I gladly answer technical questions by Email too, but it's frustrating when people write for help when they obviously pirated the book.

I became a convert to Ebooks.  They are easily searchable, they support cut-n-paste, they are light to carry and have other benefits including no shelf space.  I'm trying to offer them as low cost alternatives too. 

Thanks for reading.


#46 mORMot 1 » Mormot Book, eBook version now 1/2 price permanently, new source code » 2017-05-28 03:50:27

Replies: 4

My mormot book 2nd edition remains available from Amazon in softcover, after which you should be offered an electronic edition upgrade for free.   The price is unchanged at $59.95.

However, now I offer it in electronic version either ePub or PDF format for 1/2 price or $30 from my web site http://www.erickengelke.com .  This lower price is because I don't have to pay Amazon to print and ship or their other hefty fees, and i pass along those savings to customers.

Also, when you download the source code, there is a new 3rd edition subdirectory which includes an easier-to-read, full mormot DB / EWB application called enterprise3.  It will be documented in the 3rd edition next year, but I wanted to get out the sample already, because it shows how my many production applications communicate.

I have NewPascal working with enterprise3 for Win32 but the resultant pascal source was slightly incompatible with Delphi.  I'm trying to merge the two for the future, but in the meantime you have to download the slightly different http://www.erickengelke.com/enterprise3.zip   The application code is unchanged, just the libraries differ.  I've tested the binary and it works seamlessly.

Making it work with Linux: should be easy if you use mormot's default userid/password space.  But my enterprise3 example also offers Active Directory authentication.  To use that you would need to do something like PAM or LDAP, it's a one line function that needs changing.

As always, I welcome your comments.


#47 Re: mORMot 1 » new book about mORMot » 2017-05-28 03:29:58


Sorry, I've been absent for a bit.

I've got it compilable for Win32 NewPascal but I haven't quite merged that back in - doing that broke the delphi compile.  While I work on merging the two sources you can download the NewPascal variant at  http://www.erickengelke.com/enterprise3.zip

I'll post more about that sample in a separate thread.

#48 Re: mORMot 1 » 2nd Edition of mORMot book » 2017-02-05 06:20:33

esmondb wrote:

The photo looks like a Giacometti view of our mORMot!

I believe it's a statue of Wiarton Willie - an albino groundhog here in Canada that predicts the weather.  But yes, the resemblance is surprising.


#50 Re: mORMot 1 » 2nd Edition of mORMot book » 2017-02-03 22:29:33

Junior/RO wrote:

@erick, which tools are you using for Latex?

TexShop on a Mac.
Latex as my engine

My first few lines are:

I didn't have luck with tufts-book, so I went with classic {book}

For conversion to Ebook I've been trying calibre.

Board footer

Powered by FluxBB