I am going to make a simple web app. It will only have a few pages at most, and the main focus of the app is making calls to an api and doing stuff with that info.
I want to know what the best way is to keep my api key secure. Are there extremely lightweight frameworks that I can use for this? Should I just create a php page at the root? I could build something with codeigniter, but that seems like it is too much for what I need.
Keep the API key in a file outside of your web root. Then include that file in any file that will require its use. By placing it outside of the web root it cannot be accessed directly through a web browser or other similar means.
<?php
// Assuming this file is in the web root
require('../api_keys.php');
Related
So I have designed a PHP application that uses an oAuth2 API integration to create a unique interface for a CRM. App is working great on my server, and am ready to offer it to my clients.
My initial idea for expanding this was to create a unique subdomain for each of them on my server, create a new database, and install my application onto that subdomain. My application only has one hard-coded file with the database login details, the rest is stored on a database.
The problem I see with this is it is inefficient. I am essentially going be putting in the same files in many directories, which doesn't make a whole lot of sense. Plus updating it would be annoying.
Since everything is being hosted by me, it was suggested that I create a core folder with all of the files. Then I could use a loader script to read the database settings, and then use relative paths to access the core folder.
My issue is how would this work? Suppose my core domain is https://core.mydomain.com and my customer url is https://cus.mydomain.com. Customer logins through their url. Now a customer wants to access https://cus.mydomain.com/person.php. How would I make that work, considering that file is not located there (since it is in the core folder)? Would this require using custom htaccess?
If my current idea is wrong, what approach would you suggest? I am not married to this approach, and am looking for an efficient way of updating and managing the app. Thank you!
Use a symbolic link?
https://en.wikipedia.org/wiki/Ln_(Unix)
You can create a folder with all your static files in /var/www/core/ and create a symbolic link in each customers folder.
ln -s /var/www/core /var/www/customer001/core/
this way all modifications in /var/www/core/ will be available to all customers
So I am confused on how to properly implement the Slim Framework into my use case.
I have a web app html/css/javascript that can not have PHP in it.
All I want to do is use Slim to do some simple GET requests via ajax.
How do I start the App to handle requests if it is never touched int he index.html file?
I'm guessing this has something to do with the .htacess file but not finding anything useful in my initial search.
Got some help on this from the Slim Discussion board.
Here is the answer and example.
Yes, the .htaccess file ensures that any request is handled by a single file (usually index.php but you could name it anything you want).
Your Ajax calls would presumably go to different URLs. Those requests would all be handled by the Slim app.
Example Here
Working on a mobile app that needs to use a public API for accessing a database (but this won't affect the question).
Anyway, I am using PHP with MySQL and the Android/iPhone app will make POST requests to the PHP files. I am creating the connection to the database and wanted to create a class to do it. However, I am unsure where to put actual login credentials for the database.
I saw mention of outside the webroot so it's more secure. Should I then create a database class inside /lib that handles the connection and includes the config.inc.php file? Or do you guys recommend something totally different?
What you're proposing looks totally fine to me. A config file outside of the web root with a properly configured web server is, generally speaking, totally fine from a security point of view.
I have a web app of which I would like to create a mobile version with jQuery Mobile. The existing application is built in CodeIgniter; I'll be using the same controllers, models where I can; (especially models since I'll be needing the same data anyway, might have to write new controllers).
I'm a bit confused as to how to get started. I want to put my mobile version on a subdomain (m.myhost.tld), however.. since my app is at www.myhost.tld and I don't feel like copying it all over to another folder and maintain two, I'm a bit confused.
I know I can use the User Agent library in CodeIgniter to detect mobile browsers and load views accordingly; I just don't know how to get this working with a subdomain. Do I need to customize my app/config/routes.php file here, or can I fix this with some .htaccess magic? I have next to none experience with .htaccess though. The only thing I know is how to remove my index.php from CI apps, and that's a copypasta snippet.
EDIT: I wonder if I can use a tutorial like this one to do what I want to do? It seems to be doing more or less the same thing, just with dynamic usernames instead of a simple 'm.'
EDIT 2: Some more information, I guess.
Say I detect mobile browsers using the User Agent library included with CodeIgniter. I want to direct these browsers to m.myhost.tld. However, the content that I want to display on the mobile website comes from a controller called mobile which I can also access through www.myhost.tld/mobile/; so my question is if there is a way to route a URL like.. for example www.myhost.tld/mobile/about to m.myhost.tld/about. I'm not even sure if this is possible, teehee. Still learning!
I'll be grateful for any advice you can give me. Thanks a lot!
If you want to share the same files in different hosts, you must assign the document root folder of your sites in your web server, this is an explanation for static files, but is the base to you understand.
browser -> host:z.y.xxx[ip.ip.ip.ip] -> web server -> read filesystem : document root + browser request path
so if your document root is:
/hosting/http/z.y.xxx/htdocs
and the request is /path-to-static/index.html the server try to read:
/hosting/http/z.y.xxx/htdocs/path-to-static/index.html
In conclution, you create the new host m.mysite.tld in your web server and you change the document root as the same of the you www.mysite.tld also you could use directives of host alias, like Apache ServerAlias directive. Have lot of documentation to how you could configure a web server.
You could handle the host name in php with $_SERVER['HTTP_HOST'] variable.
If you could specify more, I could help more.
have a nice day
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file