i'm looking for a way to read/write a mysql database on a server from an iOS app.
There are a lot of answers that suggest to make a php script on the server and echo the response as JSON.
My question is: is it safe to do this?
I think that everyone with a firewall can see where my app points and run the script by itself so he can read all my data, doesn't it?
As a basic principle, yes using a php script to provide a RESTful interface is a good idea.
Yes people will be able to see the url you point to, so you need to consider safety properly. using SSL is a start, sending the data through POST, and perhaps including some sort of authentication to try and keep the number of unwanted connections down, I'm sure there are other options here as well. You can also consider using some sort of encryption, though thats a little outside my area of expertise
On top of that you should ALWAYS ensure that your inputs are sanitised, use the php script to ensure that only the queries you want to run on the DB are run. send the type of request & parameters to the php script, let it sanitise the inputs and build the query itself.
Create a serverside script like an api (using any scripting/server side language) that returns exactly what your app needs. Thus you don't allow the client to dump everything and make sure your query params are sanitized (better to use some ORM mapping framework instead of concatenating the query string)
Related
Let's say I have a server and a php file "addUser.php" which accepts some parameters like "name" and "highscore".
The php will execute an SQL query to store the data in the database. (I know about input sanitization to avoid SQL Injection.)
I want to know how to stop users from calling
myserver.com/addUser.php?Name="it-a-me"&Highscore=9999
in browser or similar. I still want to be able to call this from my android app.
I know about User Agents but those can easily be changed using browser plugins etc.
So what's the best way to secure this?
As your goal is to stop your users from cheating highscore, you have to implement a system to trust their input to your PHP API.
For exemple, you can look at this https://codeburst.io/jwt-to-authenticate-servers-apis-c6e179aa8c4e
And include highscore in the signed payload.
So I'm using http://socket.io with node.js and developing a chat to learn more about node.js
I use node.js to communicate with MySQL when users open the page.
But for bandwidth reasons I can't keep using MySQL for everything so I store a few variables in there. For example I don't want the user signed in twice, so I would store the socket ID for all users in JSON. If the socket ID already exists for that user (in node.js), then I would disconnect the socket.
This works fine, but let's say I wanted to disconnect a user, how would I go about doing that with PHP?
One option I've considered is maybe I update a table in the database with the required changes and then node.js checks that table every 60 seconds and does what it needs to do, then updates the table after the changes are completed.
Is that the best option or should I try to accomplish this with PHP? Obviously PHP would be more immediate -- but that's not too much of a concern for me.
It's quite simple:
Make sure your node.js code supports HTTP requests and not just sockets.
Add a route to perform any actions. For instance you could handle /api/disconnect/:userId which would do whatever you need.
In your PHP code, call the relevant URL using either file_get_contents or the cURL family of calls.
Of course, you want to make sure you have some decent security so that only your PHP script can call you webservices, otherwise you'd open the door to all sorts of attacks. In the short term, this could be done simply by only listening 127.0.0.1 and using that address to communicate.
Note that the title of your question does not actually match its text. You're not actually modifying the node.js code, you're just modifying the data it manipulates.
Not sure that I follow your description, however one thing that stands out is that you are considering modifying code using code. Don't. Self-modifying code (regardless if it split across separate components of a system) is a very bad idea.
If the socket ID already exists for that user, then I would disconnect the socket.
Exists where? Presumably in node.js.
While you could use the database to persist the data, I would try to inject the data directly into node.js from the PHP script. That eliminates the polling step. There is a question over how you re-populate the information into node.js after a restart, but that depends on a lot more information than you've provided.
I'm new to Android programming and I'm trying to create an app which needs a persistent remote database. Now, coming from Java and local databases, I've always connected application and database directly, without an intermediary.
I'm not seeing the point of this workaround, can someone please make this clear? I've tried searching on Google, but it seems everybody assumes this as a principles (or maybe I need to look for better keywords).
The most important argument that I can think of right now is SECURITY/QUERY VERIFICATION.
You most likely want to use an online database (perhaps MySQL) because you want to store shared information between ALL users of your application in it. The major difference between a local and an online database is that many many users have access to it - both writing and reading access.
So imagine you have your android application and now want to save some user generated data from it in your online database. Assume there is no PHP intermediary: The app directly sends the finished MySQL request to the database.
But what happens if someone looks into the source code of your app or uses any other way to manipulate that request? Let's say he changes a query from
SELECT * FROM user WHERE ID=9434896
to
SELECT * FROM user
Exactly - he gets all information from your user data table, including sensitive data such as passwords or E-Mail Addresses.
What evaluates these queries and prevents them from happening?
Your app surely doesn't, because the user can easily manipulate/change the app.Your MySQL database doesn't check them either, because it always assumes that the query is what the developer actually wanted. As long as the syntax is correct, it will execute it.
And that's what you need the PHP intermediary for:
You send values to a PHP file (e.g. check_login.php receives the values 267432(userid) and hie8774h7dch37 (password)), the PHP file then checks if these values are actually a userid (e.g. "Are they numeric values only?") and then builds a MySQL query out of it.
This way the user has no way to manipulate the query as he wishes. (He can still send wrong values; but depending on the situation it is also possible for a PHP script to check if the values are legit or not)
Perhaps this will give you some context. I built a game on Android and iPhone, and I wanted high scores stored in a remote database.
Security is the main reason you would do this. You should always do data validation on the server side, not client side. By doing it this way, my php script can validate input before making changes on the database. In addition, it is not safe to store database credentials in your apk file. This opens up a range of security vulnerabilities. Safer to keep this on the server side.
Secondly, by utilizing a single PHP script, I only need to debug/manage code that validates data and interacts with my database in 1 place... the php file. This saves me plenty of time rather than updating all of the queries and validating criteria in both the iPhone and Android instances.
I am sure there are other benefits to this approach, but these are the reasons why I do it this way.
It's an abstraction layer. You don't want to code your app to MySQL and then discover your backend is moving to MS-SQL. Also, you control how you present information to the user. If they have access, they can read everything. If you have an abstraction layer, then they can only get information by going through the proper channels.
I am pretty new with this. I am trying to develop some android application in Qt/Qml to query and update data to a database.
The problem I'm trying to solve:
There is a server with a MySQL database. The android application request some data. I use a very very basic php file that query in the database, format an XML and show that file starting with a header('Content-type: text/xml'); sentence, then some echo "<...>" sentences. This php file receives parameters via $_GET array and performs the query.
This is a little archaic but works fine. My client application use Qt/QML for android. It uses XmlListModel to obtain the data from the server and show that data in a ListView.
So far so good, but here is my real problem:
The user of the android application can change some data, and the modified data must be sent back to the server, who performs an update in the database.
My first attempt was to create another php file and send the data in the URI, get it via $_GET and perform the update to the database. This works but there could be many variables and the URI will become very large. I think might be better to send an XML (or JSON) from the client to the server, and put in that file the data for the update.
So, this is the question: How can I send an XML file from Qt/QML to the server? How does the php file obtain that data? Or maybe there is another, better way for doing this.
Every example I find just shows the server-to-client part, or is written in Java, and I don't know java enough.
Additional notes:
After I can solve this I will fight with security: SSL, avoiding SQL injection or anything, but that will be in another question if necessary.
I didn't use SOAP or similar because the first ideas was simple. Also, I have never used SOAP before. If this is the right way, I would be very grateful if you show me how to use it from Qt/QML in android.
Of course, I can use C++ for the client application since it is using Qt.
I use Qt since I already know it and the app might be useful in desktop as well.
Sorry if I made any english mistake.
Thank you in advance.
I am creating an app for my clients to add to their webpages. however, I am hosting the database that stores the info for this app. All I want to do is do all the queries on my server and somehow pass the $var to their server.
so what I was thinking was to have my PHP page with all the MYSQL credentials store on my server and give them a code that calls that page and outputs the stuff, something like
require_once('192.163.163.163/config.php');
But I bet this is the least secure way to do this. I don't want to give anyone access to the central database and I am handling all the requests. Do you guys have any suggestions that I can pull the data off my db and pass it to their server in a $var without opening any doors?
If you can't afford to give away your DB credentials or other internal details of your system but you need the clients to be able to read data from you, then the only really secure way to do set your system up as an API that the clients can call.
Don't try to combine the two systems into a single app; it will open up holes that cannot be closed.
To create an API is fairly simple in principle. Just create a suite of normal PHP programs that accept a set of pre-defined arguments return the data in a pre-defined format that can be easily processed by the calling program -- eg maybe a JSON structure.
The clients would then simply call your system via an HTTP call. They'd never need to see your code; the wouldn't need to be hosted on the same server, and they wouldn't even need to be writing their system in the same language as yours.
There's a lot more to it than that -- it is, of course, perfectly easy to write an insecure API as well, and you'll want to read up on how to write a good API to avoid that sort of thing -- but that's your starting point. I hope it helps.