I have a PHP project on Google AppEngine which has grown popular among engineers in my community and I will like to open source it on GitHub so everyone can give a hand.
The main problem is that the code contains API keys which I want to keep secret but I don't want to remove it from the code so that people can test the code they write for the app before they commit, and I also want to be able to deploy the code directly from GitHub to GAE.
Is there anyway I can keep this API keys/passwords secret without removing them from the code?
In other words how do big companies like Facebook keep their DB passwords safe? So that not every engineer in Facebook can see the DB password in the code?
You cannot keep you id/pass in your code : No Good !
On AppEngine, you can define custom environment variables in app.yaml.
see : https://developers.google.com/appengine/docs/php/config/appconfig#PHP_app_yaml_Defining_environment_variables
It's far better for security.
Related
I keep reading that the Facebook SDK secret key should not be in your client-side code but I cannot find a tutorial on how to avoid doing this with the PHP SDK.
I'm not a seasoned developer so I'm struggling to translate the Facebook PHP SDK docs app security section into actual files and code.
Can anyone point me in the right direction?
In general, you shouldn't hard-code authentication credentials like API keys into your code. You want to avoid doing something like this:
$key = 'my secret key';
Consider the case where you commit this file to a source code control system. Now your credentials are stored there permanently, and anybody who has read access to the repository can make API calls on your behalf.
Instead, store the credentials outside the code base for your project. For example:
$key = file_get_contents('/path/to/secret/key');
Make sure that the file /path/to/secret/key is not in the repository for this project. Now, when you commit your code, it doesn't contain the actual key, just a reference to it.
PHP code is not client-side. Even if you write it in client files(like html), the PHP code you write inside the <?php ?> tags will not be sent to the client. The server will execute it, so as long as your API key is in PHP code, it will not be readable by the client.
Edit: If you plan to push your code to GitHub so it's public and can be accessed by everyone, follow Alex Howansky's answer.
I have a couple of questions. I hope people can give me a good view because I am stuck at the moment.
It's a year since I started developing so please bear with me.
How can I get data from a website that I don't own to my application?
I have done some database parsing before but that's all from my own website. I see people use different library's (HPPL for example).
But what if the website requires users to login? And besides does that work on HTML only? What about if it's a PHP based site?
Should I get the external data directly on the iPhone when opening the app or should I use a middle-man approach (server between external website and app that handles the info)?
3) What is the best way to save login information so that a user doesn't have to fill in every time he opens the app?
I am a bit confused about all the stuff so maybe you can clear things up.
The question is extremely broad; so you will get pretty general answers.
Essentially, you are asking how to consume a web service. For that question, I'd recommend one of several tutorials online, like this one. There are others. That should give you a start.
You should understand the Cocoa URL loading system. The documentation is very complete. You can certainly use third-party libraries for this, such as AFNetworking; but I would recommend you understand the Apple -provided frameworks first.
But what If the website has a login ?
Depends on what sort of authentication we're talking about.
And besides does that work on HTML only ? What about if it's a php based site ?
No. Should be no different.
should I get the external data directly on the iPhone when opening the app or should I use a middle-man approach (server between external website and app that handles the info)
In general, a simple design should be favored over a more complex design so long as it meets your specifications. There's probably nothing the intermediate server can do that the iPhone cannot - but we don't really know your specs.
What is the best way to save login information so that a user don't have to fill in every time he opens the app I am a bit confused about all the stuff so maybe you can clear things up...
You will want to investigate the Keychain then. See this SO question for a bunch of tutorial references.
Ok, this isn't going to be the best quality question without a doubt. But I am looking for advice mostly on how to handle the next phase of an app I am developing. This is my first app in appmobi so things with it are a bit confusing to me still.
So generally speaking I am very used to working with PHP and sticking to browser based development. With that most of what I want to do with Facebook as far as the API's go for the graph I have done using the PHP FB-SDK. If your familiar with Appmobi then you know php is out well directly at least.
This app I am making, I have it working fine with everything else I am doing. I'm communicating with my server, people are logging in, people are registering, people are using the server for what its worth. But this Facebook bit has me stumpped. I want to offer facebook as a means of login/registration for my app, I want to post to facebook from my app pending a user approves it, and a handful of other things. But I dunno the best way to approach this through the app as its all static html based pages and javascript thus far.
So I am hoping someone will read through this all, and hopefully a handful of you that do, will know some means of doing what I want to do, Im not looking for someone to drop me a pile of code and give me the answer (nice as that would be). No I am just simply looking for what I should do to handle this between all the layers mentioned here to make this work. So I can start building this piece up.
Regarding Facebook, appMobi has recently added a Facebook object to the API you might use to be able to log into Facebook and access the Facebook Graph. You can find the Facebook API documentation here:
http://www.appmobi.com/documentation/jsAPI/facebook/index.html
There is a supporting document illustrating how to set up things on Facebook's side that can be found here:
http://www.appmobi.com/documentation/index.php?DOC=FACEBOOK_INTEGRATION
I'll do my best to post some sample code as well. I'm kind of working through the exact same thing.
Basically I have a new client that is after the following functionality from her accountancy website:
A client area in which here existing clients can log into.
a place within the log in are where clients can access documents
such as tax returns etc.
naturally this all needs to be very secure. My question is:
Is there a Wordpress plugin that can achieve this or is their an open source php framework out there that allows me to do this.
I could go through the process myself using php and mysql PDO but apart from encrypting the passwords i am not confident that the security i could program would be adequate. Any recommendations?
You could consider trying WP-Client
It's a Wordpress plugin that was built from the ground up to act as a client portal with the exact functionalities that you describe, plus much more.
http://WP-Client.com
If there are any plugins out there, they probably won't measure up to the amount of security you're looking for.
I would recommend storing all sensitive data outside of the public_html directory so that it is out of grasp for unwanted visitors/robots/etc.
You should also be encrypting all data sent/received with a SSL certificate.
It sounds like you're looking for a lot of functionality- the ability to upload these documents, access them based on users, etc. You may have to code something yourself or find a non-Wordpress solution that works for you. Perhaps you can use login credentials based off of the Wordpress installation...
Update
Since originally writing this I'm now in agreement with user1744188's answer below. WP-Client has been written specifically for this task, and for me it fills a big gap in the Wordpress market. The service I've been given is very good and I think it's priced well considering all the features and the resources you get.
It should definitely be noted, however, that the plugin itself is not open source. The main wp-client.php file in the root of the plugin is a big 0.5Mb monster of a file that has been encoded. Every method has been obfuscated and ties into some unencryption method using the licence key.
So it does what it does but you won't be able to extend or modify it easily.
Original Answer
I agree with John - I personally don't think I'd use Wordpress at all for this. However, I did a job not long ago and they sprung this requirement on me right at the end of the build so I had no choice.
I did it using S2 Member and it worked out well. Here's the ongoing thread on how to do it, the developer is a really helpful guy, he's produced a video to help and supported requests.
www.primothemes.com/forums/viewtopic.php?t=586
It's WordPress Plugin that connects with CRM to CMS, Means all your data will store in CRM for better management. you can find Here, They Prodive best solution for WordPress Client Portal.
I've been on this one for the last 2 days...
All I want to do is, with my username and password, access my Google Calendar events/calendars and create, edit or delete them with my PHP web application.
I've looked in the Google API, Zend Framework, OAuth 2.0 with google, etc and there is always a piece of information missing to make it work.
What is the quickest and simplest way, on a shared server to get to access my gcalendar? Is there a class/php function file somewhere that I can simply install in a www.websitename.com/include directory that will not make me want to pull my hair out?
I want to use already made functions like this : updateevent(username, pass, id, calendar, title, details, location, etc);
New APIs can be a little scary, especially to programmers who are still somewhat new to a particular platform. Google's Calendar API is very well-documented (like all of them) -- but you just have to read them. It's easy once you get used to it.
http://code.google.com/apis/calendar/v3/using.html
It basically involves this:
Acquire an API key
Include two files in your PHP code
Authenticate (steps up to this point only take a few lines of code)
Do what you need to do!
It's the only official and truly the easiest way to directly work with Google Calendar. What piece of information is still missing?