I'm making a game in Unity which makes use of a remote MySQL database, hosted on a web server. Although it's entirely possible to communicate with a database directly from Unity/C#, I'm also aware of how easy it is to reverse engineer the app in order to find any hard-coded authentication information (such as URLs, passwords, etc)... So, because the server is a web server and not a VPS, that means that all database connections and modifications would need to be done via server-side scripting.
But the client app would still need to make requests to the web server, where some PHP scripts would handle the requests and perform the appropriate actions. So using a url with a php query string still revisits the original hacking issue, and even using HTTP GET/POST requests can easily be packet-sniffed without any decompilation of the game.
So unless I'm missing something, does the most secure way to do this involve a mixture of direct HTTP GET/POST requests, where the data is somehow encrypted/obfuscated? Maybe via HTTPS instead of HTTP? Or is there an even better way to do this?
Expose a RESTful API over HTTPS
Related
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
I have a main website (with backend SQL database), and I have satellite websites which are all separate domains. Each of these websites are hosted by a provider and have their own SQL databases, however, I don't want to maintain 6 or 7 different databases. Instead I would like just one centralised one.
What I would like, is that when a user submits a form on one of the satellite websites, the data is able to get transmitted and stored in the database of the main website. May have to be via a special URL or something - I really don't know.
Is this possible and if so, how?
I think AJAX may have something to do with it, but I cant seem to get to grips with it and it doesn't seem to work for me. SO I'm hoping this is possible using simple PHP. Any help would be appreciated.
Thanks in advance.
On the server where you are hosting the database, you can setup a PHP web service that would receive post requests from the remote forms and do the communication with the database. You can pass in your post request some extra parameters to differentiate between sources from which the requests are coming.
You will have to be extra careful with such a design idea, as your script would be receiving cross domain requests from different sources and might be prone to CSRF attacks unless you take some extra security measures by validating the sources and forms from which the requests are coming.
In addition to the above mentioned solution, you can also simply allow your sattelite sites to connect to your database directly if such a remote DB connection to your server is supported/enabled.
You can have your satellite sites connect to your central database directly as well. They don't have to be on the same servers.
All you need for that to work is a user account on your DB server which allows access from other addresses than localhost.
Yes, it's certainly possible, and probably better to do it server side with PHP rather than client side with AJAX, because on the client you'll run into XSS issues. You'll probably need to build your own API endpoints, and I suggest looking at this article for more info on making the requests.
You can generate post requests and submit to any domain. That's not a problem. Doing cross site requests can be problematic, but would like to see your code!
I am running a server which runs main website e.g. http://www.mywebsite.com and another server which holds all APIs lets say. http://api.mywebsite.com. Both of these are built using different technologies.
What I currently do is make a cURL calls to access data from APIs from api.mywebsite.com on www.mywebsite.com but its going very heavy on page response times on www.mywebsite.com.
So I am planning for an alternative a library or something which can help to make similar calls but with lesser resource consumption.
PS: I make GET/POST/PUT/DELETE requests to server so can't use something that only provides GET.
Why don't you access the data directly off the database?
Have you tried caching with MemCache or Redis?
How would you use https ?, would sending information via GET and POST be any different while using https ?
Any information and examples on how https is used in php for something simple like a secure login would be useful,
Thank you!
It will be no different for your php scripts, the encryption and decryption is done transparently on another layer.
Both GET and POST get encrypted, but GET will leave a trace in the web server log files.
HTTPS is handled at the SSL/TLS Layer, not at the Application Layer (HTTP). Your server will handle it as aularon was saying.
SSL and/or HTTPS is used to provide some level of confidentiality for data in transit between the web users and the web server. It can also be used to provide a level of confidence that the site the users are communicating with is in fact the one they intend to be.
In order to use SSL, you'll need to configure these capabilities on the server itself, which would include either purchasing (an authority-signed) or creating (a self-signed) certificate. If you create your own self-signed certificate, the level of confidence that the site is the intended one is significantly reduced for your users.
PHP
Once your webserver is able to serve SSL-protected pages, PHP will continue to operate as usual. Things to look out for are port numbers (normal HTTP is usually on port 80, while HTTPS traffic is usually on port 443), if your code relies on them.
GET & POST Data
Pierre 303 is correct, GET data may end up in the logs, and POST data will not, but this is no different than a non-SSL web server. SSL is meant to protect data in transit, it does nothing to protect you and your customers from web servers and their administrators that you may not trust.
Secure Login
There is also a performance hit (normally) when using SSL, so, some sites will configure their pages to only use https when the user is sending sensitive information, for example, their password or credit card details, etc. Other traffic would continue to use the normal, http server.
If this is the sort of thing you'd like to do, you'll want to ensure that your login form in HTML uses a ACTION that points to the https server's pages. Once the server accepts this form submission, it can send a redirect to send the user back to the page they requested using just http again.
Just ensure you're sending the correct headings when allowing files to be downloaded over ssl... IE can be a bit quirky. http://support.microsoft.com/kb/323308 for details of how to resolve
Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together.
So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is only served to someone who matches a known user etc, either on the website or on the client.
All the php scripts on the website that query the DB check to make sure an active session is in place, otherwise dumping the user back to the login screen.
I've read a little about SSL and want to know if that is sufficient to protect the website AND the data passing between the server and the client?
HTTPS is about protecting data and authenticating the endpoints. You still have to worry about properly authenticating the client to access your services. You also have to worry about vulnerabilities such as SQL Injection and other vulnerabilities that affect PHP. I highly recommend reading The OWASP Top 10 2010 A3: Broken Authentication and Session Management to make sure your session implementation is secure.
Yes, SSL is sufficient to secure the connection between the client and the server, given that it's properly setup.
Your user credentials should also be sent across from client to server over an SSL connection.