I am thinking about safeguardimg my php code in a different way for my project, but it may be childish method. Please let me know alternative or pros and cons of this method.
Both client and server has LAMP.
Client system holds client sensitive data, which will not be shared to the server.
Client will have Auth key to access server.
When client requests the server using the Auth key, after server verifies it, server will send the php code to client for the execution. The Php code will be executed in client and it will connect to other sites from client for processing.
Client will use remote include to get code and execute.
<?php include('http://www.example.com/clientCode.php'); ?>
Client side files is provided by Server admin, with ioncube or zend safeguard encoded one.
So they will not know the PHP code (my assumption).
Also client server interaction will be processed through secure connection.
Including the remote file like that might not work as expected, as the included file is actually executed on the remote server and the result is included in the script that invokes it, not the the actually PHP code from the included file.
If that is what you wish, then that's ok; but you can't transfer the actual PHP code from the remote server.
However, if you MUST transfer the actual code from the remote server to the client, than you could create an API that takes care of the authentication and authorization of the client, reads (without interpreting) the desired PHP file, and then sends it to the client. You could then either eval the code, or cache it as a local file on the client.
You will need special encryption software like Zend Guard if you want to protect your code from your clients.
Related
My software written in PHP requires a daily update of a text file which is available on github.
I plan to use php/curl via cron, but my concern is that there is always a chance that network connection fails and the content of download can be partially damaged which will screw the purpose of my software.
Can you recommend any method how I can verify the download to be sure the downloaded file is a correct copy of the one stored in github? Because of local environment I am unable to use a git client.
You should use a call to the GitHub API. There's an API endpoint which provides a JSON-encoded response including a Base64-encoded content of the blob, which you can extract from the JSON.
You'll know it's intact because the JSON blob will be complete; if it's not, then your client will fail to parse the JSON. You'll have to implement suitable error handling if the network connection fails, which you can do in most non-trivial languages. You should also implement backoff logic in case your client gets rate-limited (that is, gets a 429).
The general raw endpoints in the web interface aren't intended for programmatic downloads, so it's not recommended to use them for automated systems.
In a PHP file is it possible to read a key placed in the manifest of an Android app? In this way I would like the PHP file to process only the requests coming from a given app.
No.
Since PHP is executed on the server side and the application is on the client side, one cannot just simply access a file on the client via PHP. If this were possible, it would be quite a huge security risk, since any website could then basically read arbitrary files from the client, even those that the client wishes to keep private (e. g. private SSH keys, etc.).
As Alex Howansky mentioned in his comment you could check the User Agent HTTP header comimg from the client to identify the app. That is if the app sends such a header. However, the user agent can be easily changed, most browsers offer some kind of setting or have plugins/addons that allow to change the User Agent string. Or in short: You cannot really trust the User Agent.
I have an application that retrieves some info and give them to user from a certain public website. However, i am not sure whether i should let my app immediately connect to the target website or it should get the info through my web server using a simple PHP script (JSON).
Actually I am using Jsoup to get the information and I tried both and they worked perfectly ( immediate and PHP) using Jsoup. However, I have not published my app yet due to the confusion aforementioned.
Use the web service. If your client has logic to parse the HTML, it can break when the web page changes. The web service can absorb this change and make corrections, but your client cannot. Not unless you release another version of your app, and that can be a pain.
So I am currently building an application that uses PHP as a web service which subsequently talks to the database in which I store my data. I have chosen to take this route because I am going to have a front-end application that will talk to the database and will be distributed and I do not want to contain any sensitive connection data within it. As of right now, here is how my application works:
1) Client-side application packages data as JSON and sends it via AJAX to the external PHP web service.
2) The PHP web service receives the request and validates it. This validation is done by checking that the correct parameters were supplied via the query string, that the JSON string that was passed along is valid JSON, that the properties within the json_decoded JSON object have the same names as the JSON object that I'm expecting, and that the value types of each property are of the correct type of the JSON object that I'm expecting.
3) If the JSON is valid then the PHP connects to a database and calls the stored procedure that corresponds with the input parameters. The connection data is kept in a separate config.php file and included in the web service.
4) If the database call succeeds, any relevant data is returned to the caller via JSON. Any errors that occur will kill the thread and return an error to the client.
Now, with this architecture, are there any screaming vulnerabilities that anyone sees? In order to better protect the connection data (as that is primarily what I would like to keep hidden from users) I am thinking about doing the following:
-Encoding the data in the config.php in a base of my choosing and then decoding it when connecting to the database.
-Obfuscating both the service and the config files.
Does this sound like enough in terms of protecting my connection values? Is there a better way to store sensitive connection data aside from a config.php file? Is there a way for somebody to easily get access to the .php file that contains the sensitive data? Any advice that you all can give me as to how to further secure this application from attacks would be greatly appreciated.
Best regards,
You could use the PHP OpenSSL libraries to encrypt sensitive data in your configuration files (rather than using security through obscurity). First use OpenSSL to generate a PKCS #12 certificate, then create a PHP page that uses the OpenSSL libraries to import that certificate and encrypt a section, or the whole, configuration file. Then from your PHP code that connects to the database, import that certificate again, and decrypt your sensitive configuration data, then use it to connect to the database. Depending on the size of the data you want to encrypt you may have to envelope the data with AES, then use the RSA keys to encrypt the AES key. This is getting a little complicated for everyone to implement themselves, I think I'm going to write a library for this, thanks for the idea.
Other than that, seems like you have some pretty good security.
From a server point of view...
If your database is on a separate server (which I'd recommend) - lock down the firewall to only accept requests from your web server.
You'd basically only allow access on port 3306 from the IP of your web server. If you're using something like Amazon Web Services this config is really easy to setup.
That way even if someone got the login credentials you'd have another barrier to entry.
Also, I'd make sure you're not on shared hosting, get a decent dedicated server for the web server with a reputable hosting provider that has a good SLA.
When using PHP I can use file_get_contents or cURL to get a URL.
jQuery runs on the client
In jQuery there is a function called jQuery.getJSON(). Javascript is run on the client. What server is used for the download of the JSON code of the external URL? What information does the called URL know about? Does it know of the domain? The IP of the client user? It's a client language.
Prefered for many request
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
What server is used for the download of the JSON code of the external URL?
The one that the domain name in the URL passed to that function resolves to.
What information does the called URL know about?
It is an HTTP request, like any other. The usual information will be available.
Does it know of the domain? The IP of the client user?
Of course.
It's a client language.
… making an HTTP request.
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
You control the server. You don't control the client. JavaScript can be disabled. It is safer to make the request from your server.
(For a value of "safe" equal to "Less likely to fail assuming the service you are using doesn't impose rate limiting")
Because of the Same Origin Policy all requests made in JavaScript must go to the domain from which the document was loaded. It's a standard HTTP request, so the server will have the same information it would if a user was just navigating around (including cookies, etc.) From the phrasing of your question it appears you need to make requests to some external site, in which case making those requests from your server which is not subject to such a security policy would likely be best.
In jQuery there is a function called jQuery.getJSON(). Javascript is
run on the client. What server is used for the download of the JSON
code of the external URL? What information does the called URL know
about? Does it know of the domain? The IP of the client user? It's a
client language.
The code that runs your web browser is only on your PC, too, yet it is perfectly capable of retrieving content via the HTTP protocol from a web server, and has done so for several decades.
AJAX requests are no different. jQuery creates an XMLHttpRequest object that performs an HTTP request in a manner uncoupled from the general page context. As far as the server's concerned, it's just an HTTP request like any other.
The text contents of the result you get back happen to be written in JSON format, but the HTTP layer neither knows nor cares about that.