I recently built a web application for my company, and now they want it to support an offline mode. To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp. The application handles sensitive data and they think these programs will somehow make the data visible to the outside world (although I'm entirely sure this would be the case).
Anyways, I'm looking for a way to allow my application to run offline, and to also support the following technologies: PHP, MySQL, jQuery. The most difficult part of this is I need to execute PHP code outside of the typical server environment.
Can anyone please give me some advice on how I could implement such a system, and any associated vulnerabilities that I may face in terms of security and data storage?
Assuming you're installing this for an individual user on their machine - your best bet is to install apache/php/mysql, and configure apache to reject connections from any remote IP address.
The environment should be basically identical to your current application, but with only 1 user in the system.
There are some strange points in your question
now they want it to support an offline mode
Well, that's easy enough - get familiar with html5's offline features
To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp
Have you deployed your web app on a desktop machine? Or do you mean you are forbidden to use a webserver?? Xampp/Mamp are development tools - your public facing applications should be on a machine configured specifically for that purpose with a webserver running apache/nginx/iis/PHP5.4-builtin/whatever you like.
The most difficult part of this is I need to execute PHP code outside of the typical server environment.
How is your environment none-typical? Mike mentions php-gtk - but IMO you shouldn't go down that route unless you're requirements are "desktop app" + "absolutely must be written in php" - which is unclear from your question.
any associated vulnerabilities that I may face in terms of security and data storage
Well, anything you put in local-storage on a client (browser) the user can access - just bear that in mind. Don't send sensitive data to what is, from your perspective, an insecure and pseudo-public location i.e. some user's browser cache.
If you want to run html/javascript, you will probably need to run this in a server/client environment because a browser isn't capable of running the php and the php app as a stand alone app needs something to parse the html/css/javascript ( it needs the browser for it's presentation view ).
Best course of action is to put the application onto a server that you control access to. Set the access controls to specific IP addresses only, or even better if you can run it off an intranet behind a firewall where no one outside the network would be able to get to it.
PHP can run on a desktop environment, but they key here is that it won't run the javascript/html you use to display. You could use php with a third party library like php-gtk to make a desktop app that doesn't need a server or browser, but php-gtk doesn't have the best support.
If the application needs to store data for other computers/users to access, then it needs to be on a network. If it doesn't need to do this you might consider using a different programming language geared toward desktop applications so you can keep it entirely offline ( such a java or .NET ).
Related
Right now we have a Ionic project that is almost finished that comes with a php backend. To make the backend a little bit more secure against influences from outsite we would like to make the backend only accessible from within the ionic project (native app). I tried to restrict it by domain but since a native app doesn't have a domain that's not gonna work.
I can't show any code because i'm absolutely clueless on how to approach this.
Thanks in advance
we would like to make the backend only accessible from within the ionic project (native app).
Given the existence of reverse engineering and the futility of DRM, what you're asking for is, strictly speaking, not possible in absolute terms. Anyone can take your app, analyze its code/behavior (usually with freely available tools), and write their own app that communicates with your server.
To make the backend a little bit more secure against influences from outsite
Given that the above is impossible, what is your threat model? What attacks are you trying to protect against? You should assume that clients are malicious and validate all input on the server side. If you do that, then you don't need to worry about whether or not someone used your native app to communicate with the server.
Consider the workflow in this article, Building Secure Web Applications in PHP.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
This is more general design kind of question. My major project is to create native app for Firefox OS. Which therefor means JavaScript, jQuery, HTML5 and css. This application should have several functions. But as a general design goes I need local html,css,js application running under firefox OS with ability to access server php scripts and mysql db, but because application is running on client side, I have a major problem with communication between application and server. Which technology, language, API or JS functions could I use for Login check, registration, messaging. How can I access server from local (on PC or Mobile Device) files. There is possibility that I'm missing some point or that my whole understanding of the problem is wrong, but is this possible and how?
Apps are built using standard Web technologies with additional metadata that allows the User Agent to discover, install, launch, and grant them additional privileges.
So says MDN.
The usual way to interact with remote, shared databases is to place a RESTful HTTP front end in front of them and access that with JavaScript/XMLHttpRequest.
XHR, WebSocket or TCPSocket.
FYR:
https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest
https://developer.mozilla.org/en/docs/WebSockets
There is no TCPSocket document on MDN, but you can study gaia email app.
https://raw.github.com/mozilla-b2g/gaia/master/apps/email/js/ext/gaia-email-opt.js
I am building an internal system for a small business and one of the requested features was to be able to go in to different apps by clicking a button on a web page.
So for example when you click on the icon for Coda it will open and be useable.
This does not need to work for Windows, only on Mac OS Mountain Lion!
How could this be done? or can it not be done?
Two options:
If the app can be opened using a registered URL schema, you can use that. For instance, an ftp://... link opens the default FTP application, a news://... link the default news reader. You can make up your own URL schemas. An application typically needs to register itself for a certain schema for this to work.
If that is not an option, you pretty much have to install a plugin in the client's browser that can do this via any mechanism it wants.
The problem that you face here, is the way binaries and the web works. Compiled applications like cocoa apps will only work if at least their starting binaries are there. But this basically means that the user already has downloaded the binary.
Furthermore, these apps will create their own application preferences - so a downloaded version of Coda will have no license.
And if the user has downloaded you binaries, what will stop them from using your software forever? (Just apart form license problems with the authors of said software).
So, the only thing that you could do, is to present them with some kind of VNC like client that will grant them limited access to an environment that you have under control. But writing that is way out of scope for this site.
(I assume, that the application are not already installed locally, but be usable from the server).
I already know quite a few tricks with Android java and I have an application that I need to sync with a web application. What it needs to be doing is connect to a server and sync database and download jpg picture uploaded by user. The web application should also be for more users each with his own phone and Android application in it, so it should probably be accesable via login and password.
My problem is that I have zero experience with web applications. All I know is a little HTML. So my question is, how should I start? What language do I use? And what basic structure or principle should my web application have?
Thank you!
I would recommend a PHP - MySQL solution. PHP and MySQL are open source and I know Java can interface with that kind of database. Both languages are well documented and PHP is similar to Java in that it is C-based, so if you know Java fairly well, PHP should be relatively straightforward for you. I would recommend heading over to Lynda.com and searching for PHP Essential Training with Kevin Skoglund. Lynda is a great online video tutorial site and you can access a good amount of the content for free. But if you're serious about developing this web application, I would make the investment (I was, and I did, and I am glad). That's how I learned PHP / MySQL for the most part.
First off, to do any PHP / MySQL development, you'll need to install a server onto your computer, such as WAMP (Windows Apache MySQL PHP - for windows), MAMP (Mac " " - for mac), or LAMP (Linux " " - for Linux), where you will be able to begin developing your application. This is your "test" server, or "development" server. For instance, I use MAMP since I am on a Mac. MAMP is free, as are the other versions, but you can pay for an upgrade. For your purposes, start with the free version. Essentially, *AMP comes with the Apache Server software, MySQL database installation, and PHP installation pre-packaged and ready to go with minimal configuration. From there, you can start writing PHP and MySQL and get your project rolling.
As a matter of fact, that title at Lynda.com, PHP Essential Training, will walk you through ALL of the steps I just stated, AND, uses an exercise project of setting up a basic Content Management System to include password protection, user login and authentication, as well as all of the essential PHP and MySQL that you'll need to go along with it. Seriously, check out Lynda.com.
Good Luck!
This is a very open question and you might get a huge range of different answers, neither of them perfect. However, I will try to put a simple response.
Have a single server and expose from it web services. This web services will handle the CRUD of the data (I will assume you will use a database and that you have experience with databases).
Web services is a big topic. If you want the simplest web services, and you're planning to use PHP, I will suggest using RESTful with JSON, since it will be very simple.
The web application should be within the same domain/server of the web services, at least for the beginning (if it grows, you can change this architecture), since that way you won't require using JSONP and just stick to standard AJAX (I will now assume you don't know what JSONP is, I will suggest reading: http://remysharp.com/2007/10/08/what-is-jsonp/ which is just the first result I got on Google just now ;)) and it will be easier.
You say you have experience with Android. I will assume you know how to consume web services using Java/Android. In case you don't, here's a sample of how to do it: http://www.codeproject.com/Articles/267023/Send-and-receive-json-between-android-and-php
Please note the PHP code there is pretty dirty, but as a "how to", I think it looks great. Only thing to note is: the sample uses HttpClient, while the preferred method is to use HttpURLConnection ( http://android-developers.blogspot.mx/2011/09/androids-http-clients.html)
Having said this, PHP + MySQL is standard. In the web app, you SHOULD USE HTML. Please, don't use Flash or Java Applets (I smiled a bit by even mentioning Java Applets in here). For all the communication purposes between the web service and the HTML client, I recommend using jQuery ( http://jquery.com/ ) with AJAX.
Don't go with a JSONP API unless you want other websites to be able to use your API.
This is only a quick approach created with the little information you have given. The more (and clearer) information you give, a better solution is likely to appear.