I keep reading that the Facebook SDK secret key should not be in your client-side code but I cannot find a tutorial on how to avoid doing this with the PHP SDK.
I'm not a seasoned developer so I'm struggling to translate the Facebook PHP SDK docs app security section into actual files and code.
Can anyone point me in the right direction?
In general, you shouldn't hard-code authentication credentials like API keys into your code. You want to avoid doing something like this:
$key = 'my secret key';
Consider the case where you commit this file to a source code control system. Now your credentials are stored there permanently, and anybody who has read access to the repository can make API calls on your behalf.
Instead, store the credentials outside the code base for your project. For example:
$key = file_get_contents('/path/to/secret/key');
Make sure that the file /path/to/secret/key is not in the repository for this project. Now, when you commit your code, it doesn't contain the actual key, just a reference to it.
PHP code is not client-side. Even if you write it in client files(like html), the PHP code you write inside the <?php ?> tags will not be sent to the client. The server will execute it, so as long as your API key is in PHP code, it will not be readable by the client.
Edit: If you plan to push your code to GitHub so it's public and can be accessed by everyone, follow Alex Howansky's answer.
Related
I want to sell a copy of my script to another person, my script is basically HTML AND CSS, but being a Checker, it needs a JS that passes the data to a PHP API and then it returns it to a of the index.
I know that the CSS and the JS are practically impossible to protect because they are on the client side, but I want to protect the Checker system.
How can I protect all my script? Can I put the PHP API on another server and from there transfer it to the of the shopper?
Or will there be a way to add code to the buyer's PHP API and have it check some data on my server, and if it is not there the Checker will not work?
In short, I want to AVOID leaving the PHP file in the buyer's script, because it is what makes my Checker work nd I want to prevent it from being stolen, since it is a personal checker.
Thank you very much in advance, I only know the basics of PHP and JS, currently I only master 100% HTML and all about CSS.
You could let the customer use your version of the software ( that you host yourself ) and restrict their access with something like an API key. You would need to check before each request if the api key is present and if it's still valid.
This would allow you to control who has access to your script, without having to "give" away your code.
API authentication, in itself, is a whole subject and can get very complicated. I would suggest you start with a simple API key and see how it works out for you.
The youtube channel fireship.io has a great video on the subject. I highly suggest you check it out.
You cannot really protect your JS because it executes on the user/customer computer. You can obfuscate it but it's a bad practice because it makes it had for your customer to debug and maintain their site and they will not buy your program.
In fact the customers are usually testing your service and integrate it before actually paying it.
You don't have to protect all your work, since copying the JS is pretty useless without the PHP. Only keep the PHP for yourself on another server.
I can't figure out what exactly to use for interaction between my site and the Telegram service (first of all - how to get the authentication process done using PHP and other stuff like chat among users).
On this page: https://core.telegram.org/api I haven't got an idea how to use those functions in PHP.
According to this page: https://telegram.org/apps
I have two choices:
1) The CLI-interface (unofficial, by the way): https://github.com/vysheng/tg
and it doesn't have an autentification function among others. In order to authenticate yourself, you need to run:
bin/telegram-cli -k tg-server.pub
and inside of the application you have to enter your cell phone and the secret code sent by SMS - after that you're authorized. Then you install https://github.com/zyberspace/php-telegram-cli-client and run telegram-cli as a daemon:
./bin/telegram-cli -dWS /tmp/tg.sck -k tg-server.pub &
Does it mean that I have to create tg-server.pub manually using PHP for each user which is trying to login?
2) Webogram: https://github.com/zhukov/webogram - but it's written on JavaScript and has very complicated code.
Dear Stackoverflow gurus, maybe you're more attentive than I am and could help me to recognize the right solution (or example, I don't know, the PHP snippet or anything else) for the user's chat based on the Telegram and PHP?
I would greatly appreciate it!
Thank you!
I have posted a step by step guide on getting your AuthKey (VB.net) here
The main challenge with Telegram API is the documentation... but if you can work through the first part - getting an AuthKey then i believe the rest should fall in place ... with some more effort.
Working through some GitHub src might be time consuming, it might be best to get a handle on the documentation and then work your way to building your own code for TelegramAPI from scratch
Most likely, PHP wrapper for Telegram API doesn't exist. I'd wager it's because communicating with Telegram servers from your server-side PHP code defeats both of the core features of Telegram: speed and security.
no speed - a message has to hop through one additional loop (your server) before it reaches the recipient.
no security - browser page will communicate with your server via AJAX or forms, I assume. This means sending data as plain text (unless you're on https), open to the whole world to see (if you were to sit on a public wifi, or something like that).
You can implement the Telegram API, it's a bit involved, but doable. But it's totally pointless, in my opinion.
As an alternative, just embed the webogram in an <iframe> or something :)
Now, you can use MadelineProto https://github.com/danog/MadelineProto - enought powerful PHP client for MTProto Telegram!
I have a PHP project on Google AppEngine which has grown popular among engineers in my community and I will like to open source it on GitHub so everyone can give a hand.
The main problem is that the code contains API keys which I want to keep secret but I don't want to remove it from the code so that people can test the code they write for the app before they commit, and I also want to be able to deploy the code directly from GitHub to GAE.
Is there anyway I can keep this API keys/passwords secret without removing them from the code?
In other words how do big companies like Facebook keep their DB passwords safe? So that not every engineer in Facebook can see the DB password in the code?
You cannot keep you id/pass in your code : No Good !
On AppEngine, you can define custom environment variables in app.yaml.
see : https://developers.google.com/appengine/docs/php/config/appconfig#PHP_app_yaml_Defining_environment_variables
It's far better for security.
We provide link aggregator service.
Terms:
1) client api: client api code, written in php, that we provide for our clients
2) client: client site, that uses client api to get ( from our server ) and display html links
Api is very simple.
All, what client is care about, is just to get and diplay links. Nothing more.
Currently, it looks something like this:
<?php
require_once('/path/to/lib.php'); // all logic is here ( what to send, log, ...)
$obj = new Obj();
echo $obj->getData(); // html links
?>
The problem is, that after upgrade of client api, we have to give it to each client to upload on their sites.
So, this is very inconvenient.
What do you think about following idea:
Place lib.php to server and upgrade client api so it downloads and eval that code.
So, we can control everything happening on client sites in one place.
What do you think ?
What should i take in mind ?
Thanks!
What do you think about following idea:
Place lib.php to server and
upgrade client api so it downloads and eval that code. So, we can
control everything happening on client sites in one place.
Any segment of code that is allowed to automatically update is a significant security concern.
Depending on how affluent your customer base is, it may be an acceptable risk. But more likely than not, they would not understand or be aware of the implications. This brings up another point which is often overlooked.
What should i take in mind?
What liability do you assume if something goes wrong, or a vulnerability is caused (or even suspected) by your code?
Anyone choosing to work with you would have to implicitly have faith in all of your systems.
Sorry, not on my watch.
After searching for many and many encoding/encryption softwares, I have came to conclusion that none of those can protect your source codes from reverse-engineering attempts.
Even iOncube, zend has decompilers out there. I even tried safeguardian but found that it can also be cracked. Most of the the softwares out there which doesn't require any server side prior installation are doing obfuscation of our source codes. By applying enourmous efforts on those obfuscated codes, it can still be cracked.
So i came to the conclusion, if i distribute only part of the source code running on my client's machines and then to obtain rest of the flow, client sends request to my server. So at that point i can recognize the genuinity of client and choose wheather to provide further required data or not.
I belive for this flow, client will have to obtain an API key or something like that first to make requests to my server. Please correct me if i'm wrong but it is more like to use Oauth client server model or something like that.
Can anyone provide me an example on such mechanism? Or atleast where i should start?
I do understand that reverse-engineers may find parallel way for missing codes but i think i can take my chances there instead of just obfuscation of my codes or byte code encryption provided by zend, ioncube etc. etc.
Any help will be strongly appreciated.
P.S. i'm adding an example for what i'm looking for-
For e.g. -
Lets say following is the php file residing on client's machine:
client.php
<?php
get_further_data($consumer_key,$consumer_secret)
{
----this will send request to server.php or so on my server with above keys to obtain $req----
}
some_function($req)
{
if($req)
{
----further processing on $req----
}
else die();
}
?>
Below is the file on my server:
server.php
<?php
get_requests($consumer_key,$consumer_secret)
{
----if the requesting host is valid and keys are binded to that host only then provide $req----
}
?>
In outh there is something like public key and private key etc. etc. i dont know that mechanism but whatever it might be, i haven't specified in above e.g.
I guess that RSA and oauth and all those things are really something promising. And yes this is all for just to protect few php codes and some data.. If you think its bit too much well then i might have much higher taste or may be facebook, google, twitter have also done bit too much to protect some codes and some data.
Cheers! lol
You can try phalanger and compile php for Windows.