Android Question I want to connect via php hosting in a secure way

aeric

Expert
Licensed User
Longtime User
Yes, but it is expensive
I want a way to dart on shared hosting
Is it possible an example in a very safe way
Try to find a cheap VPS. There are some which cost as low as $3.95/month. I am using hostinger.

If you insist on shared hosting, which is a good start for beginner then try implement some security measures.
For example,
  1. hash your password using salt
  2. use prepared statement to prevent SQL injection
  3. connect using API with key
  4. catch your error so it won't show your query on page when error occur
and there are many ways to secure your web application in production.

In my opinion, the point of an example created/shared by someone is to help a newbie to understand the basic concept. If you request for a "very safe" example, I don't think it exists. When you have understand the concept, you need to improve your own project by adding more and more security bit by bit by doing your own research. Until you are confident or feel comfortable on the stability and security of your project, then only make it to production.
 
Upvote 0

alfaiz678

Active Member
Licensed User
Thank you
But what I mean is
Is it safe to use this method?
As the contact information will definitely change
It will be more powerful than these in the example
And the server name will be on shared hosting
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
I am not sure how do you define or measure the level of safety. How sensitive or important the data you store?
I can assume my data is safe if no hacker is visiting my server even when I did not make it "safe".
If I make my application "more secure" by implementing a list of securities, what I actually did is just make a hacker more difficult or take longer time to hack my data.
It doesn't guarantee that my system is "unhackable".

PHP or B4X are just programming languages. We can't say which one is more superior to another.

First, you need to understand the problem. For example, SQL injection. How it happen and then how to prevent.

For your question, I don't have an exact answer.

If it is a small project, I think it is not worth to spend so much effort to make it super secure. Is your data really valuable to a hacker? Such as user bank account password or credit card information?

If you are just starting, don't concern so much about security. Make you small project work first.
 
Upvote 0

alfaiz678

Active Member
Licensed User
As for the data, it is not so important
When viewed
But the fear of the hacker being able to delete or manipulate the data only
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
In most cases, if you are using shared hosting, the database (MySQL or MariaDB) server is located on the same machine as the web server (localhost). We do not need to worry about the connection between PHP and the database.

The real concern is how the client app connect to the server to retrieve data. You should setup your application or domain to use SSL or similar so the data transfer between the client and server is always encrypted.
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
You may have missed the example that I shared recently.
 
Upvote 0

alfaiz678

Active Member
Licensed User
You may have missed the example that I shared recently.

Nice
Thank you
This seems easier
Do you think it fulfills the purpose?

https://www.b4x.com/android/forum/threads/register-user-example-using-okhttputils2.52293/

And the foal on the stretch
 
Upvote 0

hatzisn

Well-Known Member
Licensed User
Longtime User
I don't know if php has web services but in .NET you just access the database locally in the server and the communications occur with web services.
 
Upvote 0

Unobtainius

Active Member
Licensed User
Longtime User
I was stuck on this back way back when and Aeric's sample helped me more than I can ever express.
I use it now as my preferred method of data access even though I have a full AWS web server and database.
My web code (initially PHP, but now ASPX) has SELECT, UPDATE, DELETE, INSERT, and run stored proc.
my url looks something like this
//https:/mysite.co.nz/dblayer?ACTION=SELECT&fields=field1, field2, field3& table=customers&where=field1 > 200&order=customer_name&deviceid=78623467523
for stored procedures
//https:/mysite.co.nz/dblayer?ACTION=EXEC_SP&sp_name=increase&deviceid=78623467523

sending even quite raw sql statements split up into separate web field query paramater thingies was me hoping this would negate sql injection
Also any passwords needing to be sent or received are always encrypted

It would also be possible to build the url query as a single encrypted item and split it up on the web server
so encrypt ?ACTION=SELECT&fields=field1, field2, field3& table=customers&where=field1 > 200&order=customer_name with B4X into a single variable
and so that as a single query parameter
//https:/mysite.co.nz/dblayer?dothis=B4XencryptedString&deviceid=78623467523
That would hopefully slow a hacker up for a while

The deviceid is one of a number of registered devices in one of my database tables
In my case I use this as preferred method simply because it means deny access to the database to all IP addresses other than my web server IP address
This at least gives me an approach for security that I can if needed explain to any concerned party

Mostly for me its a simple understandable approach and I'm a big fan of simple
Being APSX I could code a web service to handle my call, but for me I cant see the need, other to put it on my resume

I have a module with a bunch of the routines I need and use them all my projects now. Although not perfect, it works really well for me

B4X:
public Sub InsertData(Jobname As String, fields As String, tablename As String, values As String, ProgressMsg As String)
    'wait For (IsOnline) complete (Sucess As Int)
    'If Sucess = 1 Then
    values = values.Replace(Chr(13), "")
    values = values.Replace(Chr(10), "\r\n")
    'Log($"?ACTION=INSERT&fields=${fields}&table=${tablename}&values=${values}&deviceid=${Main.company.DeviceId}"$)
    'Log($"INSERT INTO ${tablename} (${fields}) VALUES (${values})"$)
    ToastMessageShow(ProgressMsg, True)
    UpdateComplete = False
    Dim Job As HttpJob
    Job.Initialize(Jobname, Me)
    Job.Download2(Main.gblURL, Array As String("Action", "INSERT", "fields", fields, "table", tablename, "values", values,"deviceid",Main.company.DeviceId))
'    Else
'        ShowNoNetworkConnectionMessage(True)
'    End If
End Sub
 
Upvote 0
Top