I have a web application that consists of a JavaScript frontend and a backend built with PHP, where the frontend makes some AJAX requests to the backend's URL, for example: api.examplesite.com?q=some_query and the results are returned back in JSON format.
Anyone who knows this URL, could directly call it and get the same results.
What is the best practice to make this URL unreachable from third parties, but still working for my application?
Any URL available for an AJAX call is available to the public web. To keep it "private" you can tie it to a user session or token, which you would initiate on your main page and persist across AJAX calls.
Also, if "some_query" is an actual SQL statement, this is considered extremely bad practice for an AJAX call. Your SQL should only be directly available on the server side, not any arbitrary client.
Actually there is no way for doing this. Your application is client side, so it need to get response from server. It means that it can be intercepted by client anyway.
You can use encryption to prevent someone who intercepted the data to be able to read it. You can use either symmetric cipher and hard code some key in the client side app (which is not good, because if the key is compromised then all traffic from all your clients can be decrypted) or you can use SSL/TLS for communicating with the server (which I think is the best solution if you transferring sensitive information).
The client has to be able to request the URL to use it. However, you could check to see if the request was made with ajax, and then return the information accordingly:
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])
AND strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest') {
// I'm AJAX!
}
Check this out for more info
For security, you can try and force the numeric types or quote the strings BEFORE executing the query.
e.g.
$number = (int) $number;
$string = htmlspecialchars($string);
Oh right, for the answer: there is no way to make it unreachable.
Related
I have web application written in php and plan to add chat functionality to it. I decided to use node.js as this seems perfect for the job and php sorta stinks for this sort of things.
At some point I need to make sure that request to socket.io server is legitimate. I need to make sure the request is from page my php generated. trying to keep it simple I came up with this idea. Ok so the client/server process would be:
Client opens web page and php receives request. Php creates hash of some sort and contacts node http server via GET. This I was thinking to simply curl 127.0.0.1 and pass hash not sure if this would be as easy though with apache running already.
Node would receive this has and store it as property in an object so following requests from client would have access to it.
When curl comes back php renders the page and passes this hash to client.
Client makes request to node server on some port, passes this hash and node calls callback. Now node checks if hash is one of the properties of the object I described in step 2
If hash os one of the properties then process request, otherwise something dodgy is happening and ignore it
That is the general idea and I would like to know if this has any obvious flaws that I should consider before implementing. Any advice would be much appreciated.
Standart scheme. Use redis-memcached-RDMS for saving token on server side.
+ fast
+ you should implement mechanizm of token creation in one place
- all tokens may be lost in some cases
Signed cookies technique.
Create token on php side. Like
$token = some_special_hash_not_md5_not_sha1(
$userID . $server_side_super_safe_salt);
Send via cookies token and userID.
Check on node side is this token valid.
+ no db
- have to find function on node and php which produce identical signing
- you have to know a lot about crypto if you want create safe code
For example. If some_special_hash_not_md5_not_sha1() will be PBKDF2 some people may DDoS you with large $userID
Tips on signed cookies instead of sessions
I need to know if its possible to login to a website i am hosting that is asp.net mvc and on that login call a separate website function that is in php.
Also if it is possible how can I do it.
Yes this is possible, you have to post to the login page.
So if you use php use cUrl and set post option and values.
After the login i guess you want to do more? So you will need to save the session, so you can send that for the next requests as logged in user.
You may pass any kind of data around the web using (typically) GET or POST http requests. (There are others of course, but these two are the most typically used). In terms of login / user authentication, a commonly accepted standard to use is oAuth. No doubt there are libraries which help support the use of oAuth in both PHP and ASP.
Essentially, the programming language is irrelevant, as data is passed around on the other end of the application layer. The way you access this data may differ from language to language, but the transport method is usually always the same.
As an example, GET data is passed around in the URL:
location.com/?myparam=myvalue
A word of warning: You should always be using https when handling personal / sensitive data. Generally, both the sending and receiving devices should be doing so over https with a valid SSL license. This prevents third party data sniffing and most man in the middle attacks.
As for libraries which send requests, well php has cURL and asp.net has WebRequest
I want to upload information into a MySQL in ComputerCraft in Minecraft. ComputerCraft uses Lua. I tried to look for a way in Lua. I saw LuaSQL, but that was not a possibility because I can not install external files on the server.
I figured out a way that I can use a special function of ComputerCraft.
http.get(string url) Sends a HTTP GET request to a website, synchronously.
http.post(string url, string postData) Sends a HTTP POST request to a website, synchronously.
Then on the website side use $_GET to read the information to put in the MySQL database.
I want to protect this so you can not simply do that without using my program, but a simple password is not really safe.
Is there another safe way to protect the link?
It might be possible to generate a token, and include it with the program. However, no matter what, you are facing two serious problems:
1) Anyone with access to your software can reverse engineer it, and build fake software to follow whatever clientside security you have.
2) All data is transmitted through plaintext. So, anyone who is able to read network traffic between your client and server can see the full transmission.
So, my suggestion would be to write server software that heavily restricts what queries are allowed, and only permit those queries that your client needs to be sent.
I'm sending data from an Android app to a php script which recieves the information and procces it, I've found a security issue: if someone discovered the url (for example: mydomain.com/recievedata.php), anyone would be able to send data to my system.
What's the ideal method to ensure the client sending the data is the app?
Thanks!
One easy way that I've seen some companies do is to include a secret key. For example, you might have a secret=3CH6knCsYmvA2va8GrHk4mf3JqmUctCM parameter to your POST data. Then all you need at the top of receivedata.php is
if($_POST['secret'] != '3CH6knCsYmvA2va8GrHk4mf3JqmUctCM') {
header('HTTP/1.1 403 Forbidden');
error_log("ERROR: wrong secret: " . $_POST['secret']);
exit("Access denied");
}
You can easily generate the random string from random.org.
Of course, this is not the most secure method and that string might well be stored in plaintext in the APK (don't use this to send launch codes!), but it's easy and good enough to keep most people out. This might be adequate for, say, sending player scores for a game.
It's more like a PHP question. Here are the things you should do for security ;
Add a hash between your app and your PHP to sync (AKA secret key)
Make sure your script controls every input data
DO NOT send datas to query without escaping them (SQL Inject)
Try to use POST instead of GET or REQUEST
Keep your functions private as much as possible
Always parse the data you receieve (Check if its a number, or string or array etc)
With these, noone will be able to use any of your PHP files without your app. And they won't be able to receive any data without your permissions
The only proper way is not trusting the data you receive. Always treat it in a way suitable for crafted data coming from a bad guy.
I have an Android application from which I want to upload some data to a database on my web server. As the MySql java library has a size of about 5 mb, I don't want to include it with the application.
So I'll make a HTTP request for a php script and send the data with the URL as parameters. How do I make sure that only I can call this? I don't want people to sniff up the URL and call it outside my application.
Thanks
Use a simple static token to identify the client is yourself or in an advance way, first authenticate with a username/password, generate a token and use this token for further transactions .This token can expire after some time.
option1: http://[your request url]&key=xyz
where xyz is known only to you
option 2: first ping server with username password and upon successful validation get a dynamic token [dKey], store it locally.
then for further requests.
http://[your request url]&key=dKey.
option 2 is the one normally being followed.
The short answer: you cannot prevent sniffing.
But you can make sniffer's life harder by implement a some sort of internal authentication, GET/POST predefined parameters (or dynamic, but calculated by algorithm you only know how) exchange, hidden header fields, etc.
But all this could also be sniffed/reverse engineered.
A possible Overkill Way would be using some sort of asymmetric private/public key encryption/signature. Such as RSA. Your app will only include public key, and sign the request data with it. And your server-side will have a secret private key, it will use it to check validity of client requests.
I know very little about android - but it's not really relevant to the question.
If you want to prevent someone from sniffing the URL (and authentication details?) then the only option is to use SSL. On the other hand if you merely want to prevent other people from accessing the URL, its simply a question of authentication. If you're not using SSL, then that means you need to use sessions and a challenge-based authentication to avoid people sniffing the traffic. You could do this via digest authentication or roll your own code.
C.