I am creating an app for my clients to add to their webpages. however, I am hosting the database that stores the info for this app. All I want to do is do all the queries on my server and somehow pass the $var to their server.
so what I was thinking was to have my PHP page with all the MYSQL credentials store on my server and give them a code that calls that page and outputs the stuff, something like
require_once('192.163.163.163/config.php');
But I bet this is the least secure way to do this. I don't want to give anyone access to the central database and I am handling all the requests. Do you guys have any suggestions that I can pull the data off my db and pass it to their server in a $var without opening any doors?
If you can't afford to give away your DB credentials or other internal details of your system but you need the clients to be able to read data from you, then the only really secure way to do set your system up as an API that the clients can call.
Don't try to combine the two systems into a single app; it will open up holes that cannot be closed.
To create an API is fairly simple in principle. Just create a suite of normal PHP programs that accept a set of pre-defined arguments return the data in a pre-defined format that can be easily processed by the calling program -- eg maybe a JSON structure.
The clients would then simply call your system via an HTTP call. They'd never need to see your code; the wouldn't need to be hosted on the same server, and they wouldn't even need to be writing their system in the same language as yours.
There's a lot more to it than that -- it is, of course, perfectly easy to write an insecure API as well, and you'll want to read up on how to write a good API to avoid that sort of thing -- but that's your starting point. I hope it helps.
Related
I built a very simple AngularJS Shop App that creates product orders.
As of now, the app just sends orders via email to the customer and retailer using PHP, but I thought it might be good to learn a bit how to use databases, and store/retrieve this orders (which are arrays) into a Cloudant.
But then I realized that to connect to the Cloudant service, the call looks like this:
https://{username}:{password}#username.cloudant.com/DB
I assume this is not very safe at all, as the call and credentials would be visible for anyone.
Also, in the App there's no need at all for anyone to have an account or login, which would partially help with security.
As I have 0 experience with Node or any other backend system, I'm wondering: Is it possible to make secure calls to a Cloudant service using only AngularJS (or PHP to store the sensitive values)?
I've read a bit about the one db per user, but it doesn't seem to help in my case, where I need one single DB to store all my orders.
Any tips would be highly appreciated.
If you need to expose your credentials in your API calls, you better not do them from the front-end. If you're using Angular and PHP, the easiest way to hide your auth info from the public would be the following:
Create a PHP file and move your API code to the back-end.
This will be a bit of work, but in the end the service login should happen on the server. This file should receive requests from the client and transmit them to the remote service, then return its response to the client.
Use AJAX on the front-end to make calls to the above PHP file, and proceed displaying its response to the user like you would handle an API response.
This way your API credentials aren't exposed to anyone checking your page's HTML source and you can keep most of your front-end logic the way you have it set up already.
As #ppajer said, I strongly discourage to use AngularJS to do what you want to do. Leave it on the back-end and use ajax to make the calls. Take a look at this repo, it may help you: https://github.com/osipov/bluemix-cloudant-php-sample
So I'm using http://socket.io with node.js and developing a chat to learn more about node.js
I use node.js to communicate with MySQL when users open the page.
But for bandwidth reasons I can't keep using MySQL for everything so I store a few variables in there. For example I don't want the user signed in twice, so I would store the socket ID for all users in JSON. If the socket ID already exists for that user (in node.js), then I would disconnect the socket.
This works fine, but let's say I wanted to disconnect a user, how would I go about doing that with PHP?
One option I've considered is maybe I update a table in the database with the required changes and then node.js checks that table every 60 seconds and does what it needs to do, then updates the table after the changes are completed.
Is that the best option or should I try to accomplish this with PHP? Obviously PHP would be more immediate -- but that's not too much of a concern for me.
It's quite simple:
Make sure your node.js code supports HTTP requests and not just sockets.
Add a route to perform any actions. For instance you could handle /api/disconnect/:userId which would do whatever you need.
In your PHP code, call the relevant URL using either file_get_contents or the cURL family of calls.
Of course, you want to make sure you have some decent security so that only your PHP script can call you webservices, otherwise you'd open the door to all sorts of attacks. In the short term, this could be done simply by only listening 127.0.0.1 and using that address to communicate.
Note that the title of your question does not actually match its text. You're not actually modifying the node.js code, you're just modifying the data it manipulates.
Not sure that I follow your description, however one thing that stands out is that you are considering modifying code using code. Don't. Self-modifying code (regardless if it split across separate components of a system) is a very bad idea.
If the socket ID already exists for that user, then I would disconnect the socket.
Exists where? Presumably in node.js.
While you could use the database to persist the data, I would try to inject the data directly into node.js from the PHP script. That eliminates the polling step. There is a question over how you re-populate the information into node.js after a restart, but that depends on a lot more information than you've provided.
I'm new to Android programming and I'm trying to create an app which needs a persistent remote database. Now, coming from Java and local databases, I've always connected application and database directly, without an intermediary.
I'm not seeing the point of this workaround, can someone please make this clear? I've tried searching on Google, but it seems everybody assumes this as a principles (or maybe I need to look for better keywords).
The most important argument that I can think of right now is SECURITY/QUERY VERIFICATION.
You most likely want to use an online database (perhaps MySQL) because you want to store shared information between ALL users of your application in it. The major difference between a local and an online database is that many many users have access to it - both writing and reading access.
So imagine you have your android application and now want to save some user generated data from it in your online database. Assume there is no PHP intermediary: The app directly sends the finished MySQL request to the database.
But what happens if someone looks into the source code of your app or uses any other way to manipulate that request? Let's say he changes a query from
SELECT * FROM user WHERE ID=9434896
to
SELECT * FROM user
Exactly - he gets all information from your user data table, including sensitive data such as passwords or E-Mail Addresses.
What evaluates these queries and prevents them from happening?
Your app surely doesn't, because the user can easily manipulate/change the app.Your MySQL database doesn't check them either, because it always assumes that the query is what the developer actually wanted. As long as the syntax is correct, it will execute it.
And that's what you need the PHP intermediary for:
You send values to a PHP file (e.g. check_login.php receives the values 267432(userid) and hie8774h7dch37 (password)), the PHP file then checks if these values are actually a userid (e.g. "Are they numeric values only?") and then builds a MySQL query out of it.
This way the user has no way to manipulate the query as he wishes. (He can still send wrong values; but depending on the situation it is also possible for a PHP script to check if the values are legit or not)
Perhaps this will give you some context. I built a game on Android and iPhone, and I wanted high scores stored in a remote database.
Security is the main reason you would do this. You should always do data validation on the server side, not client side. By doing it this way, my php script can validate input before making changes on the database. In addition, it is not safe to store database credentials in your apk file. This opens up a range of security vulnerabilities. Safer to keep this on the server side.
Secondly, by utilizing a single PHP script, I only need to debug/manage code that validates data and interacts with my database in 1 place... the php file. This saves me plenty of time rather than updating all of the queries and validating criteria in both the iPhone and Android instances.
I am sure there are other benefits to this approach, but these are the reasons why I do it this way.
It's an abstraction layer. You don't want to code your app to MySQL and then discover your backend is moving to MS-SQL. Also, you control how you present information to the user. If they have access, they can read everything. If you have an abstraction layer, then they can only get information by going through the proper channels.
i'm looking for a way to read/write a mysql database on a server from an iOS app.
There are a lot of answers that suggest to make a php script on the server and echo the response as JSON.
My question is: is it safe to do this?
I think that everyone with a firewall can see where my app points and run the script by itself so he can read all my data, doesn't it?
As a basic principle, yes using a php script to provide a RESTful interface is a good idea.
Yes people will be able to see the url you point to, so you need to consider safety properly. using SSL is a start, sending the data through POST, and perhaps including some sort of authentication to try and keep the number of unwanted connections down, I'm sure there are other options here as well. You can also consider using some sort of encryption, though thats a little outside my area of expertise
On top of that you should ALWAYS ensure that your inputs are sanitised, use the php script to ensure that only the queries you want to run on the DB are run. send the type of request & parameters to the php script, let it sanitise the inputs and build the query itself.
Create a serverside script like an api (using any scripting/server side language) that returns exactly what your app needs. Thus you don't allow the client to dump everything and make sure your query params are sanitized (better to use some ORM mapping framework instead of concatenating the query string)
I read some nice articles about how to connect to a remote MySQL database via Android.
Found some really interesting links here and here.
So the common way for getting data seems to be using some kind of webservice (interface, in this case a php script) which queries the db and renders the result in JSON (or XML) format. Then its possible to parse this output with the android JSON_Object implementation. So far so good.
Receiving data from the database and showing it up in a android listview was done in about minutes.
But what is the best practice for writing (inserting) data into tables?
Should a webservice be used here too? (or rather direct mysql conn)
What is the best method to push data to a webservice? (for ex. to insert a new entity in a database) and which format should be used?
In this case I do not use any html forms or anything to post the parameters. So how to post these parameters to the php script? (from within the android app!)
Of course this operation should be secure as well. Implementing a data manipulation machanism is bit more risky (in order to keep the db persistant)
I think, that many apps use some kind of DB, to synchronize data (ex: highscores).
So there should be a best practise for that.
I would recommend keeping anything database-specific hidden behind a web service.
If you build a dependency on MySQL into your application and later find that you need to change databases, the entire installed base has to be cut over. Think about the logistics of accomplishing that for a few minutes and you'll start to realize it's a nightmare.
Premiumsoft's Navicat for MySQL comes with a HTTP tunnel (PHP script) you might be able to use. It basically provides a method for doing anything to a MySQL database over HTTP.
I'd just make sure there are no licensing issues if you plan to distribute your app.