Android Question ExecuteRemoteQuery: More Security?

[KMatle]

Hi guys,

I played a bit with ExecuteRemoteQuery and it works perfect. I was able to handle several tables. Very nice!

As it calls a php script which will execute any given SQL on my server I wonder how to get more security on this.

Someone could disassemble my code to get the names of the script called and the table structures.

Any suggestions for me?

 

[DonManfred]

I´m using the httputils2 too for all i need. But i dont put the SQLs into my app.

I just call a php script with some parameters.

  Dim Job As HttpJob
  Job.Initialize(dummy, Me)
  Job.JobName = "AddToCart"
  Job.Tag = akt_art.Get("artID")
  Job.download2("http://domain.tld/b4a.php", Array As String( _
           "action", "AddToCart", _
           "DeviceID", DeviceID, _
           "SimSerialNumber", SimSerialNumber, _
           "SubscriberID", SubscriberID, _
           "artID", akt_art.Get("artID"), _
           "lager", dropdown_lager.GetItem(dropdown_lager.SelectedIndex), _
           "anzahl", edt.Text _
         ))

i do everything like this one... Calling the php and give all parameters i need in php and return json from php.

i use the parameters

"DeviceID", DeviceID, _
"SimSerialNumber", SimSerialNumber, _
"SubscriberID", SubscriberID, _

to authenticate the call from our customerdatabase... Combinations of this three parameters (i get them from phone-library) which are unknow cannot use the app.

It´s a limited usergroup which uses my apps (i´m in community since 1 year) but for them this authentification works fine

 

[KMatle]

Nice! Thank's!

 

[KMatle]

@DonManfred

I used your example but I got some problems with my php script. Could you please post the php counterpart here? Thanks!

What I've done is: Use "Get" to get the variables. But when I try to connect to the DB MySQL ist returning "Can’t connect to local MySQL server through socket /tmp/mysql.sock" (I'm using it on a hosted server).

Using RemoteQuery works without a problem.

 

[nwhitfield]

I do something similar to DonManfred; there are a lot of people out there who, if they find a site that has a SQL server, will spend hours throwing everything they possible can at it, to try and find a way in.

So, instead of talking to the server directly, I created an API script in PHP for my site's database, defining specific commands and their parameters, and the JSON format in which I'll return information. It accepts commands via POST, and returns JSON - and it also has the advantage that, if I decide I want to change the way the database works, as long as the parameters and JSON results stay the same, I don't have to change anything in the app; so, I just call the api using http2utils like this

Dim loginCall As HttpJob
loginCall.Initialize("auth",Me)
loginCall.PostString(BLUF.apiURL, "ACTION=login&APPKEY=" & BLUF.loginKey & "&USERKEY=" & BLUF.authCode)

If you're only doing a few simple things with your app, creating a whole API system is very probably overkill. But if you have lots of different tasks, and want to abstract everything, then it may well be worth the extra work involved.

On a side note, there are two reasons why my API uses POST rather than GET. Firstly (and potentially important on a shared server, where you may not be sure of all the security) it avoids parameters appearing in the server log files, which might compromise info, and secondly, it's very easy to POST information from jQuery, which means it's very quick to write web apps that interact with the server too.

 

[KMatle]

Thanks for your fast reply. I solved it

For security reasons I include another php file with user, pw, etc. I have just forgotten to copy it in my new folder Stupid me...

Will try your solution, too @nwhitfield