I'm sending data from an Android app to a php script which recieves the information and procces it, I've found a security issue: if someone discovered the url (for example: mydomain.com/recievedata.php), anyone would be able to send data to my system.
What's the ideal method to ensure the client sending the data is the app?
Thanks!
One easy way that I've seen some companies do is to include a secret key. For example, you might have a secret=3CH6knCsYmvA2va8GrHk4mf3JqmUctCM parameter to your POST data. Then all you need at the top of receivedata.php is
if($_POST['secret'] != '3CH6knCsYmvA2va8GrHk4mf3JqmUctCM') {
header('HTTP/1.1 403 Forbidden');
error_log("ERROR: wrong secret: " . $_POST['secret']);
exit("Access denied");
}
You can easily generate the random string from random.org.
Of course, this is not the most secure method and that string might well be stored in plaintext in the APK (don't use this to send launch codes!), but it's easy and good enough to keep most people out. This might be adequate for, say, sending player scores for a game.
It's more like a PHP question. Here are the things you should do for security ;
Add a hash between your app and your PHP to sync (AKA secret key)
Make sure your script controls every input data
DO NOT send datas to query without escaping them (SQL Inject)
Try to use POST instead of GET or REQUEST
Keep your functions private as much as possible
Always parse the data you receieve (Check if its a number, or string or array etc)
With these, noone will be able to use any of your PHP files without your app. And they won't be able to receive any data without your permissions
The only proper way is not trusting the data you receive. Always treat it in a way suitable for crafted data coming from a bad guy.
Related
I have built a simple read-only API for our database, so that users can retrieve data from our database.
For example, the URL "http://xxxxx/getAllProfiles" will return a JSON result containing all profiles stored in the database.
The API is read-only, it is only implemented with some 'select' SQL queries. Thus the user cannot modify any of the data in the database via the API.
My company worries the API will be exploited by some random bots online, and has been asking me to build a security mechanism for this API. (It is worried if there is no key or something that prevents anyone from accessing the URL, our server would be visited too much. It is a small server.)
What would be the simplest secure mechanism that I can implement, using PHP? (We are also using Slim for the API, Amazon EC2 server with Ubuntu and Apache running on it, if this helps.) Preferably it can be implemented without the use of any database on server or client side.
If there's anything not clear, please let me know, I'll clarify.
Thanks.
Add:
Thanks for the comments.
Is there a way to NOT use a database? Like a smart way to generate a key or something... I'm thinking I'll provide a page so that user can input the domain, and an algorithm will convert this domain to a key. Then, for each request, the user should include this key. The server will grab the domain from the request header and use the same algorithm to calculate again. If the two calculated key matches, the request is accepted. I think this, at a minimum level, ensures that at the beginning there must be someone to input the domain and get the key, thus filtering some random bots out?
I am not sure if this is secure (at all)? But it sounds to me like it can filter out something.
I posted this question when I know very little about web development.
There are many ways to secure a REST API, e.g. JWT, Cookie, Basic Auth, etc.
In my site, I am submitting information information that cannot be tampered with. Is there a way that I can prevent users from seeing the URL my app is requesting? In Google Chrome, it is very easy for users to see this.
I am submitting data to another website. They encrypt the data in their end but there isn't a way to encrypt the string parameters before and while they are being transmitted. This makes it easy for users to just copy the requested URL, change around the parameters, and do as they please. What options do I have to encrypt the string parameters?
You can't prevent them from seeing the URL if you are making the request from their client. You also can't trust anything on the client, so you can't encrypt something on the client.
Is there any reason you can't just send the data to your server, validate it, then forward it along to the target server? I'd say that is the correct option.
Dear user you can encrypt the url with md5 & mysql database
if you need random urls for every request
check
for more information its verry simple
http://il1.php.net/md5
http://il1.php.net/manual/en/book.mysql.php
with the random function pretty simple
i hope you get the idea or you can just use the post method and store data on the mysql database
and once its on the final step you can make it run in the background as all the data will not be seen by the user. and make sure in production version of website you put on that php file
// Turn off all error reporting
error_reporting(0);
Have a nice day
I want to upload information into a MySQL in ComputerCraft in Minecraft. ComputerCraft uses Lua. I tried to look for a way in Lua. I saw LuaSQL, but that was not a possibility because I can not install external files on the server.
I figured out a way that I can use a special function of ComputerCraft.
http.get(string url) Sends a HTTP GET request to a website, synchronously.
http.post(string url, string postData) Sends a HTTP POST request to a website, synchronously.
Then on the website side use $_GET to read the information to put in the MySQL database.
I want to protect this so you can not simply do that without using my program, but a simple password is not really safe.
Is there another safe way to protect the link?
It might be possible to generate a token, and include it with the program. However, no matter what, you are facing two serious problems:
1) Anyone with access to your software can reverse engineer it, and build fake software to follow whatever clientside security you have.
2) All data is transmitted through plaintext. So, anyone who is able to read network traffic between your client and server can see the full transmission.
So, my suggestion would be to write server software that heavily restricts what queries are allowed, and only permit those queries that your client needs to be sent.
I have a web application that consists of a JavaScript frontend and a backend built with PHP, where the frontend makes some AJAX requests to the backend's URL, for example: api.examplesite.com?q=some_query and the results are returned back in JSON format.
Anyone who knows this URL, could directly call it and get the same results.
What is the best practice to make this URL unreachable from third parties, but still working for my application?
Any URL available for an AJAX call is available to the public web. To keep it "private" you can tie it to a user session or token, which you would initiate on your main page and persist across AJAX calls.
Also, if "some_query" is an actual SQL statement, this is considered extremely bad practice for an AJAX call. Your SQL should only be directly available on the server side, not any arbitrary client.
Actually there is no way for doing this. Your application is client side, so it need to get response from server. It means that it can be intercepted by client anyway.
You can use encryption to prevent someone who intercepted the data to be able to read it. You can use either symmetric cipher and hard code some key in the client side app (which is not good, because if the key is compromised then all traffic from all your clients can be decrypted) or you can use SSL/TLS for communicating with the server (which I think is the best solution if you transferring sensitive information).
The client has to be able to request the URL to use it. However, you could check to see if the request was made with ajax, and then return the information accordingly:
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])
AND strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest') {
// I'm AJAX!
}
Check this out for more info
For security, you can try and force the numeric types or quote the strings BEFORE executing the query.
e.g.
$number = (int) $number;
$string = htmlspecialchars($string);
Oh right, for the answer: there is no way to make it unreachable.
I'm developing a website where people will be able to register and access different data via Ajax (powered by jQuery). This is all simple and i shall have no problems doing. the issue is that the data showed by Ajax needs to be secure and not available to be parsed through remote scripts. I can encrypted the data through a AES (in PHP) and decrypt successfully in javascript, but the javascript code will always be visible to everyone (after login). I can use an obfuscator and javascript encryption, but both ways, even mixed, are not secure enough and decryptable. I would prefer avoiding SSL connections, since I am trying to prevent registered users from accessing the information and the SSL connection would only prevent unregistered users from accessing the data.
Registered users will be able to earn money therefore very interested in cheating the code, this is why it has to be bulletproof.
Unfortunately the system needs definitely Ajax (the whole working principle needs to be based on Ajax). The ideal solution would be a way to save the encryption key on a place that can be saved by php and accessed by javascript, but not by users, remote script parsers etc.
Does anyone know a way to create a secure Ajax connection for this purpose?
I really appreciate all your help.
You want something that browsers do not do.
You've asked for: "The ideal solution would be a way to save the encryption key on a place that can be saved by php and accessed by javascript, but not by users, remote script parsers etc."
The design of the web browser and javascript engine in the browser is such that any Javascript that the web browser can execute can be seen by a human who wants to look at it, steal it, borrow it, whatever. Period. There is NO such place that can be accessed by Javascript, but not by users or remote script parsers. You will have to rethink how your app works if this is a problem. Most likely, you need to keep the secret stuff on the server and do more work on the server and less work on the client in order to protect what you want to protect. If you think about it, a browser is just a remote script parser so if you prevent remote script parsing, you prevent a browser. If you allow a browser, you allow a remote script parser.
You can obfuscate your Javascript to your heart's content if you want. That will make it a little more work for a human to understand and do something useful with it, but it will only be an additional obstacle that any determined and competent person can defeat if they really want to. If this secrecy is really important to you, then you need to rethink the design of the app so that secret information is not required in the browser and the browser just works as a display and interaction engine.
Just so I'm clear here. Any code that can be executed by a browser must, by definition, be something that any user or any tool can download and inspect. You can use SSL to protect data from snoopers in transport, but it ultimately has to be readable as Javascript for the browser to be able to execute it.
You can't do exactly what you want. It's like a cheat-proof game design. You CAN make it HARDER, even MORE hard, but NOT 100% secure. You've got to solve the problem froma different approach, like, whatever that is, examine the actions at server-side (e.g. in a stateful manner) and try to detect any non-human behavior. But it's only a matter of someone creating a realistic bot that mimicks the behavior of humans. Encryption is used for preventing 3rd parties -- other than the server and the client -- from eavesdropping/capturing data, NOT for the client. I'm not saying give up on the whole thing, but try a different approach to secure the system. I want to help more, but don't know what exactly you are trying to achieve.
authentication is the only ways to do it.
Just get your users to authenticate (login) and send them the random seed and salt you've used to encrypt their data.
Without the seed/salt, even though a malicious user can decrypt your data it will still be garbage.
If you want javascript to use a piece of data then clients use that data.
If you don't want data to be re-used set up a server-side system where each chunk of data is only valid once.
Proper authentication should solve all these problems.
I want the users to be able to see the data only when Ajax displays them
Then load the data when ajax get's it and not before. Or only partially load data and off-load any sensitive work to the server.
i think the best practice is to make your code (production code) too mush complex to read and edit
you should rename all your variable with letters [a-z] you should not declare ny function always use function(){} inside of another to make it more logical complex this way
the client can still see the code but has nothing to do with it
EDIT: I realize now it's a terrible advice