Android Question Where to define password for security

tufanv

Expert
Licensed User
Longtime User
Hello,

I am using mysql database connection in my app to retrieve info from server. As Erel described in tutorial it is open to any attack because query is directly being executed via the php file.

So i defined a password to send with the qury and php checks for the password then executes the command. My question is in my app, is there any place that defining the password is more safer than other places. For example, if i define the password as string under process_globals is it much safer all defining anywhere within the app is same for security reasons ?

TY
 

sorex

Expert
Licensed User
Longtime User
to be honnest I don't see the point of sending a password with your request. it's also not safe unless you pay for https certificates.
with sniffing tools you can grab your queries & password easily and replace it with a truncate table query.

instead you should send commands to the php and not just plain queries.

the command(s) will be used to execute the right query in the PHP file.
 
Upvote 0

tufanv

Expert
Licensed User
Longtime User
Hello TY For the answer,

isnt it the same principle ? Anyone can sniff the commands and find what query it corresponds and than send the same command to server ?
 
Upvote 0

udg

Expert
Licensed User
Longtime User
Anyone can sniff the commands and find what query it corresponds and than send the same command to server ?

Yes, but any sniffer/attacker would be limited to queries prepared by you, so no "truncate" and other hazardous commands.
Have a look at this thread for a different approach about passwords and DB. Although the example pertains to B4J, the hash between password and "salt" code is of general use.

Umberto
 
Upvote 0

sorex

Expert
Licensed User
Longtime User
no because you use

http://site.com/getdata?op=getusers

you don't send any "select username from users order by username" over the net.

in the page you do a

switch($_GET["op"]){
case "getusers":$mysql="select username from users order by username";break;
}

getquery($mysql);

no way someone can inject stuff inthere.

and now you also have full flexibility so you can fill 1 json request full of data coming from multiple queries which is not really possible with the direct query method.

1 query/request with a lot of data is faster than 5 requests to get the same data in chuncks.
 
Upvote 0
Top