I'm developing an online application that will have many outside users. As for now my connection method is to host a centralized database for all users, while they connect from their own server files.
Method:
PHP Connection File (hosted on their server; file provided by me) >> Connects to my MySQL Database
Now obviously I need to provide my database user and pw info, but I know that questions security.
So to my point, how would I provide database access to outside users(different servers) without giving up security.
Or if someone has a better method I'd love to hear it. Thanks!
Create an API in php, sort of webservice with an interface that you define and host this API on your server.
Each user (script that runs on users server and uses your API) needs a personal API key or access code they need to register to the webservice.
Take a look at well known API's like Google maps or something similar. Oh even stackoverflow has one
Create a signup form for users and store their own UserID and Password in a table on your site. Then create a PHP interface for them to upload their files. That way, you need only validate thier own UserID and Password through a HTML/PHP form to allow them to sign in, and your MySQL creds stay safely hidden.
Related
Be Clear: This question is not about password encryption/hashing to save into database.
I have developed a PHP application for a client. The application is installed on client machine with XAMPP (placed at htdocs/project_name). Client uses that application locally but the local database is synchronized with remote MYSQL database by Export Report button available on web interface.
My concern is when I store a connection string for remote database in my PHP code the username & password are visible to any guys who can hunt PHP script file and can see it. I don't even wish the client be able to view passwords used for remote connection/synchronization.
How can I achieve this?
You want to give user permission (login data) to connect to the
database but at the same time don't give him permission (login data).
The only thing that is on my mind to store login data corrupted,
and in code decrypt this data with some key hardcoded in the script. This is hackable,
but if the user is not programmed it is unlikely to do this
If you accept Kerckchoff's principle then it is impossible to provide an authentication which is available to a program run by a user without making that token available to the user. If you provided a better description of the problem, specifically the modes of operation you are trying to prevent then we might be able to provide effective solutions (e.g. encapsulating all data access in packages would restrict access to data for specific users).
On my local server I have written a script that takes a username & password and confirms it is valid against my LDAP server.
I have a web site professionally hosted on a remote server. I have a CMS on the remote server and I would like users to use their LDAP credentials to gain access to that CMS.
My plan is to have a login form on the remote server. The form will POST the username/password to itself using https. It will then use CURL to POST the username/password again but this time across the internet to my local server, again using https. My local server will be setup to provide a simple "TRUE" or "FALSE" as a response. If the remote server gets back TRUE, session variables are set to permit access.
Security-wise, is this a safe practise. Should I consider another way?
note: I'm not particularly proficient with cURL but I think I can figure out how to do the above.
LDAP - Lightweight active directory protocol which is used to communicate with your active directory server.
LDAP is there only to authenticate & access AD server in most secure way.
Here is the solution for problem :
Customize existing login functionality of your CMS in a way like - If user his details check with AD server using LDAP whether user is exist in AD, if yes update his credential to your DB(Also keep flag that user is AD enabled), if user is present is AD & not there in your DB create that one.
Likewise after some time al your user from AD server will migrate to your DB & you are not required to keep seperate application to for user migration.
Also every time authenticating with AD is best to provide security but its all up to you, because after migration of all user you can remove this functionaity.
I started to develop a web application as a major project for my degree. Purpose of app is not important. My problem is handling the login. I have no problem with setting up login with jQuery mobile, that is actualy working pretty well. Problem is I'm handling login with php script through ajax and creating session in that process. So for checking if user is logged in or not I'd normaly use a php script, but in this case I can't. I need to keep using only client side for authentication. What would be the solution for this? Can I handle authentication with some native jQuery functions or do I need to write some JS scripts? If anyone have any solution please I don't need actual code, just best solution. Thank you
You can achieve this as long as login authentication is restricted to the device. What I mean is that user-id / password combination can be stored locally on the device. You may choose local file system storage for this. Here are the steps:
1) Make user register with uid/password
2) Check uid is existing in your local storage. If not register by writing it to local storage.
3) Later when user returns, validate login credentials against the local store.
I assume you're developing a native app with a mobile web framework. In this case you have two choices:
POST the login details out to a server somewhere, authenticate and return the session, allowing the user access. This will obviously require internet access, but will be more secure.
Store the credentials in local storage using JavaScript when the user signs up. Encrypt this value and compare against it when the user logs in.
I am thinking of running a hosted service using Amazon Services (PHP + mySQL). What I like to do is have a site where someone registers, pays PayPal and returns to site where they will get an automated information to their mySQL account. So this mySQL account would only be used by them. They can create tables, etc.
Some questions are:
1) Is there a way to create a new mySQL account and table using a script? (PHP?)
2) Is there any open-source scripts out there that already does this that I can take apart and use?
3) If the above is not a good idea, any other suggestions.
Basically I want them to put files on their local web hosting (Hostgator, Dreamhost, etc) but be able to grab data from my database in Amazon. So I want each user to be limited to their own database and not mess with others. And they need ability to update tables.
Any suggestions & thoughts appreciated!
CREATE DATABASE, CREAT USER and GRANT commands needs a lot of privileges. You should be wary of using such an account in a web script. For one thing if a user is able to figure out your paypal call back URL, there is a possibility that he can post data directly to that url and cause mischief.
What I would suggest is for you to enter the details of the database and user accounts that need to be created into a queue (maybe held in a mysql table), and to run a scheduled task (maybe cron) to create them in the background. When you do that the script does not need to have access to an account with a high level of privileges.
As to how exactly a database and user account can be created; well you can treat them like any other queries.
CREATE USER: http://dev.mysql.com/doc/refman/5.1/en/create-user.html
CREATE DATABASE: http://dev.mysql.com/doc/refman/5.1/en/create-user.html
GRANT: http://dev.mysql.com/doc/refman/5.1/en/grant.html
This may be a job that phpMyAdmin can help with?
I am currently working on 2 web servers, One Coldfusion and the other PHP.
Right now, the Coldfusion server is my main server where users log in to access restricted data.
However, I have also begun using a PHP server and want to make it transparent for users to access a specific page on that server - that server requires log in information as well.
I do not want the users to log in twice.
Is there a way to accomplish this ?
Thx
UPDATE: Working in an Intranet environment, so I can't use any public solution.
UPDATE: Reason I am asking for this is because we are moving from a MSQL / Coldfusion environment (Initial server) to a PHP / ORACLE (new server). So I have 2 user tables as well (although they contain mostly the same information).
I am trying to faze out the use of our initial server in favor of our new server transparently to the user and thus I have to work in parallel for the time being.
Most single-sign-on solutions work a bit like this...
Main system authenticates use
User opts initiates a need to move to system 2
Main system authenticates the user with system 2 in the background
System 2 supplies a random, long and disposable token to Main system
Main system redirects the user, with the token, to system 2
System 2 checks the token (and other factors such as IP address) to validate the session
System 2 disposes of the token to ensure it can't be replayed
You would want to ensure that the transmission channels had some security on, especially where Main system and system 2 are talking to each other. You would want that to be a secure transport.
Store sessions in a database, and share them between the two apps.
You could use xml-rpc to get user data and log the user into the other site when they have a login cookie for the first one and vice versa.
Php manual page for XML-rpc
Here is what I have done, in running my own game server, had users on sql server, and on mysql, and wanted to integrate them both.
I made sure that if a user was created on 1 system, was also created on the other.
So you can modify code in both applications, to automatically create a user in other system if it is created on here.
Depending if both servers share a domain, can you do cross-domain sessions or cookies...But my best guess is to store and retreive data...
Or..
as a person logins/registers record their current ip address, on both servers, then check if this person was on the other server within 2-5 minutes, if so, use the ip address to identify them....
This system is tricky because timing is important, so your not leaving a huge hole in your security....But for short term, going between servers, this is simplest solution, in my own opinion.
Good Luck.
If you are on an intranet, you can actually sniff out the network username of the user from the PC they are logged into the network on using PHP. This assumes that:
You are using IIS to host your PHP application.
Your users are using Windows.
Check the section "2.2 Enabling Support for Detecting Usernames" here.
After that, all you need to do is investigate if the same is possible from Coldfusion, and you have the basis of an SSO solution based on the network usernames.
How about implementing an OpenID solution, much like the one apparent on StackOverflow?
You may benefit from dropping a shared object on the client machine via Flash or Flex. This object could then be read from ColdFusion/PHP/Python on servers that otherwise had no connection to each other or access to a common database.
Here is a simple example from the Adobe Docs
Maintain local persistence. This is
the simplest way to use a shared
object, and does not require Flash
Media Server. For example, you can
call SharedObject.getLocal() to create
a shared object in an application,
such as a calculator with memory. When
the user closes the calculator, Flash
Player saves the last value in a
shared object on the user's computer.
The next time the calculator is run,
it contains the values it had
previously. Alternatively, if you set
the shared object's properties to null
before the calculator application is
closed, the next time the application
runs, it opens without any values.
Another example of maintaining local
persistence is tracking user
preferences or other data for a
complex website, such as a record of
which articles a user read on a news
site. Tracking this information allows
you to display articles that have
already been read differently from
new, unread articles. Storing this
information on the user's computer
reduces server load.
Full Information: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html