So I have an issue. I have a server, lets call it (testserver.net). Right now, to change the database, from my application, my app runs "testserver.net\add.php". The problem is anyone can run that and change things in my database. How do I make it that needs some sort of verification before running the code in add.php so no one can just have access to my server? (Like a password or something).
create a token : 1MBASFDFACAUYTUG^%(!#UUIASNSR*_-+LASQWFVSA4QWYUI12670
,save this token safely with in your application.
Whenever you want to call the add.php pass the token like :
testserver.net?token=1MBASFDFACAUYTUG^%(!#UUIASNSR*_-+LASQWFVSA4QWYUI12670
add.php
$secret = $_POST['secret']; //use post or get
if($secret != $mySavedSecret){
die('intruder!!')
}
Place you add.php file in separate folder and password protect it, or you may use Password protect a specific URL solution
You need to perform Authentication followed by Authorization. In PHP there are many frameworks which support this.
pls check this for basic authentication
https://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
or you can use popular frameworks and follow their tutorials to perform this.
check this php micro framework Slim
Related
In php cURL usage, what actually is CURLOPT_USERPWD working? I can see in many examples, like:
curl_setopt($ch,CURLOPT_USERPWD,"my_username:my_password");
.. but how to do at the Server Side? What actually are those username and password? Of course since i want to protect my PHP API page at Server Side, is that the best way or what is the best way to protect it please?
Ideally, you would have a separate config class that contained your user name and password. Then you would create a new version of that config class in your file with the cURL commands. Then you would pass the username and password as variables to the cURL commands. The cURL information will not be visible anyway as long as it is not echoed or printed. Even if you just put it in directly it would be hidden, but having it in a config file will allow you to change the values without changing the main page that contains the cURL commands.
i have a php file named admin.php. It can be accessed by only X.But when i write the url like localhost/full/admin.php it can be viewed.it means if anyone knows the url he can access it.how can i provide security to this file thus it will be accessed.i am just using mysql and run it using localhost
you should look at the user & session management that php provides you. Look at it here. You can define users and its passwords, and authenticate them. This is the simplest method. Good luck
ACL will be more beneficial in the long run.
you could use something like:
if(strpos($_SERVER['HTTP_REFERER'], "https://mysite/a-page-that-sent-u-here") == true)
and then only allow access from a referrer page.
Or set a Session on one page, or even only allow it from your IP:
$_SERVER['REMOTE_ADDR']
Lots of ways
I am using the LinkedIn PHP Oauth example found here:
https://github.com/petewarden/linkedinoauthexample
I've found it much easier to understand and use compared to other options so I'd like to stick with it. The author has an example based on the same code that I am using, which works exactly how I want my application to work. The only problem is that instead of redirecting back to my application after authorization, it gives me a security code...
You have successfully authorized My Application
Please return to your application and enter the following security code to grant access:
I've only slightly modified the author's example to be used as a CodeIgniter library. Here is the modified example code. And here is how I am calling it within CodeIgniter.
Why is it not redirecting to my application with the token instead?
Normally, that means you're not setting the callback URL properly. (Or not setting a callback at all, so it's defaulting to the OOB setting.)
It would take me time to read all that code and figure out the exact issue, but there does appear to be lots of error_log()ging. So, I would check to see what's setting set where. I would also try and look at the raw HTTP messages... that would help me identify what's missing where, and then we could look at that spot in the code.
I'm trying to create a login process. But it seems impossible to create one process that will work with a desktop app and a standard website.
Instead I have the login function in Usermanagement.php (which is a class, icyntk) but then in another php file (api/login.php) I have:
<?php
require_once '../usermanagement.php';
$m = new usermanage();
echo $m->login($_POST['username'], $_POST['password']);
?>
And then I will still need to make another login.php just to be used with the login form on the website. As I can't see anyway to get the result (the echo) of the api/login.php script from the index.php file (where the login form is, it only has HTML in though).
Is there anyway I can simplify this so I only need one login.php?
As I understand you, what you want is:
a website/webapp having a login
a desktop app (not in PHP!) logging in using the same login method
One way is to export the login method using the same API in both your website and the remote application, so you would be using JavaScript on client-side to access the API from there (AJAX/JSON). You will want to use some framework for that like jQuery for client-side simplification of AJAX (among many other uses) and maybe the JSON module in PHP (to use json_encode; beware that the module may not be available on some webspaces so if that's out of control don't use it). Of course you do not need to use XML or JSON in your API responses but it's easier to open the API to other (including desktop) applications without the need to manually implement a lot of parsing functions to process the response in your interface classes.
Keep in mind that your website/webapp will not work without JavaScript if you do it this way! On non-public parts of a website that's okay, as is for a webapp used by a known user group, but you should not depend on client-side scripting for public parts of a website.
Another solution to simplify that is by using a PHP framework, so you can write the server-side frontend easier. This will basically enable you to give a button a serverside function which is simply calling your login method and acting accordingly by setting a redirect or replace some panel or whatever you like to continue with after the login.
Of course you can do all that by yourself but this will usually result in either a lot of messy code or an implementation of your own framework. If you want to do it on your own, start by posting the form to the same PHP file instead of an extra login.php and add a hidden field like:
<input type="hidden" name="action" value="login"></input>
In PHP, check $_POST['action']=='login' and call the login method.
Edit: While your website will work with a PHP session or a cookie, you may want to track login status with an own session token which you can pass to your desktop app so it can be used for consecutive calls to the API, so you don't need to handle cookies. These tokens should also be bound to the IP and maybe other "individual" information of the client; that information should ideally be hashed into the token or the token encrypted (client-side won't have to "decrypt" that, just return it for authentication). Tokens should also time out after inactivity.
Also, having read your older question, I fear you could be trying to do something bad like sending a hash over the network and simply check that hash with your user table because JS side encoding was discussed there. If you like to implement some encryption algorithm on client-side, either make sure it's secure (difficult to do that unless you are into cryptography) or resort to SSL.
As the data from your Desktop App is unlikely to be sent via the $_POST array, I would say no. Websites and Desktop Apps are two completely different types of applications, and it would be unrealistic to think you could share much of the front-end code between the two.
I would try to abstract as much of the functionality as you can into core classes, and then create two separate front-end implementations that utilize the core, each in their own way.
I'm going to get really "limby" and go out on a freaking huge limb and say that this is what you're trying to do:
<?php
if(isset($_POST['username'])) {
require_once '../usermanagement.php';
$m = new usermanage();
echo $m->login($_POST['username'], $_POST['password']);
}else{
?>Put your login form HTML here<?php
}
This way you only need one login.php file.
I'm not sure how to describe this, but basically I have a PHP class file:
class HelloHello {
public function getSomeData($input_parameter){
// code to retrieve data from the database
}
public function deleteSomeData($input_parameter){
// code to delete data from the database
}
}
This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.
Is this a legitimate concern, or this can't be done?
If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.
Instead of trying to stop others from accessing your php file, focus on making it more secure.
If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.
You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.
You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.
For some basic mathematical foundations to this, there's quite some documentation online.