B4J Question jRDC2 is it safe?

ilan

Expert
Licensed User
sorry for my ignorance but i hear a lot of people saying using PHP is not safe to connect to a MySQL DB.
and i hear a lot erel saying the best solution is to use jRDC2. so i tried and watched the whole tutorial of him here

i must say that i was surprised that everything worked. so i managed to run the example and it works fine.
so now i understand that i need to put the jar file on my server and connect the client to it but why is it safer than other solutions?

i mean the hacker could just search the server for the jar file, download it and extract it and get the config.properties file.
right? or am i wrong?

thanx

EDIT: ooppss!! wrong forum. please move it to question forum. sorry!
 

mangojack

Well-Known Member
Licensed User
I am very much still learning in this area , and have not used jRDC2. (unable to due to server)

But I am wondering if this is similar in a way to PHP. I have all the PHP scripts (with db queries etc) in my Public WWW directory,
But the PHP Config file (with credentials) is stored outside of the public directory root and called by the working script with "Include" keyword.

Can you place the .jar in a Home root sub folder and still reference / call it maybe.

I'm sure someone with more knowledge in this area will answer you question shortly.
 
Upvote 0

aeric

Expert
Licensed User
I quoted Erel's statement from the tutorial thread.
jRDC2 can work with any database that provides a JDBC driver. All popular databases are supported.
It is much more powerful than the PHP based solution and it has excellent performance.
It is also safer as the SQL commands are set in the server side.

Disclaimer: This is based on my understanding and logic. I could be wrong.

Now let's see your question.
sorry for my ignorance but i hear a lot of people saying using PHP is not safe to connect to a MySQL DB.
and i hear a lot erel saying the best solution is to use jRDC2. so i tried and watched the whole tutorial of him here
I am not sure where you hear a lot of people saying PHP is not safe to connect to MySQL DB. Any system developed by developer (with programming language such as PHP, Python, C#, etc) can be either vulnerable to hacker or it is more difficult for a hacker to do something illegal. If someone develop using PHP in a proper way, I think it can be secured too.

i must say that i was surprised that everything worked. so i managed to run the example and it works fine.
One of the benefits of developing with PHP vs B4X (jRDC) is the latter make it more simpler when you want to switch to different database. Let say you have created an application with MySQL, you want to switch the database to MariaDB, MSSQL, PostgresSQL or SQLite. There may be more codes to write or you need to change the function names. For example, you need to use sqlsrv_connect() if you want to connect to MSSQL vs mysql_connect() for MySQL. However, I use PDO when developing with PHP which is more convenient and cleaner. I see in many tutorials or sample projects about PHP, the developers will connect to database in every function in every PHP page without using a class. They are not following DRY (Don't Repeat Yourself).

Regarding the performance, PHP is much depending on other engine like Apache or Redis whereas jRDC itself is the server and application in one. It is also compiled compares to PHP which is interpreted during runtime. Until you get JIT (Just-in-time compilation) which will be available in PHP 8. jRDC is based on a very high performance Java Jetty server. Forget about all the complex plugin and PHP configuration settings in Apache. It is very fast to boot up and kill the process too compare to Apache services.

so now i understand that i need to put the jar file on my server and connect the client to it but why is it safer than other solutions?
The path you store the jar file is not the public accessible. The server has protected it. You can't type in your browser to access the /<root>/home/jrdc/server.jar
Not sure about "other solutions". If you talk about PHP, the index.php and all other php files are stored in the root and can be listed from the File Explorer. Generally, there are no viewable source code inside the root directory tree if we are using jRDC. There are no config.php to store the DB connection string and password inside the root directory that someone can directly view/edit.

i mean the hacker could just search the server for the jar file, download it and extract it and get the config.properties file.
right? or am i wrong?
Yes, you are right. The config file is inside the jar file. If the hacker gain such access, he/she can read the username and password to access your database. In order for the hacker to access the server, he/she has the SSH access to the server. In production, the server administrator or developer should maintain a whitelist or restrict other IP address to harden the security. It is recommended to use VPS compare to shared hosting.
One way I can think of is to store the password in the config file but it is not the actual password to connect to the db. You read the password then use an encryption function to encrypt it to the actual password. The logic for the encryption is compiled in B4X.

The last sentence by Erel meaning that client app only send the request to the server with the command name and optional parameters. This is to prevent SQL injection. Instead of using GET with querystring, jRDC use POST in bytes. In case a hacker is able to sniff and analyze the packet that travel between the client and server, it is at least not in clear text. The bytes need to be serialized using B4XSerializator before it can be read by human. If we use SSL, then it will become more harder for the hacker. In PHP, we write the SQL queries inside php file. It is easier to read what are the tables and fields are used. Unless we store the queries as Stored Procedures inside the database.

i hear a lot erel saying the best solution is to use jRDC2
In many cases, it is recommended to use jRDC2. Some of the reasons are mentioned above. For B4X developers, it is easier to use a single language if he/she is not familiar with another language like PHP. Even for me who know a little about PHP, it maybe troublesome to develop another PHP application and run in Laragon wamp and then switch my mind from PHP syntax to B4X for the client. We are talking about B4X, so we are welcome to ask about this language in this forum. Otherwise you have to visit another PHP forum or search in google and return with a lot of StackOverflow solutions which we are not sure which one might work. We knew that B4X community is much much more friendly here. :)
 
Upvote 0

Erel

Administrator
Staff member
Licensed User
Great answer. I will summarize:

1. A properly written PHP script is secure.
2. jRDC2 is also secure.
3. There are less pitfalls to fall in with jRDC2.
4. If a hacker has access to the server files then he / she has access to all the data.
5. jRDC2 performance is excellent.
 
Upvote 0

tigrot

Well-Known Member
Licensed User
I have added some feature to jRDC2 and it works very well for my CN part program administrator, which now is able to run on a smartphone. It's well written and simple to modify. I have added plain text read and write(to modify and save Part Programs).
 
Upvote 0

amorosik

Well-Known Member
Licensed User
sorry for my ignorance but i hear a lot of people saying using PHP is not safe to connect to a MySQL DB.
and i hear a lot erel saying the best solution is to use jRDC2. so i tried and watched the whole tutorial of him here

i must say that i was surprised that everything worked. so i managed to run the example and it works fine.
so now i understand that i need to put the jar file on my server and connect the client to it but why is it safer than other solutions?

i mean the hacker could just search the server for the jar file, download it and extract it and get the config.properties file.
right? or am i wrong?

Php or jRdc2 are tools
Safety is not inherent in the tool, but in the use that is made of that tool
How to say, "is a knife a safe tool?"
For a surgeon it is a safe tool
For a child it is an unsafe tool
 
Upvote 0

Magma

Well-Known Member
Licensed User
Upvote 0

Magma

Well-Known Member
Licensed User
I am having a lot web servers / vps / dedicated... and monitoring some of them.... Internet will be always unsecure.... and every day i learn that we can't be SURE for nothing :-(

ps: hackers from every place in earth trying every second / actually ms - especially at static ips / domains !!!!!!!!! Flood and brute force will be always here :-(
 
Upvote 0

KMatle

Expert
Licensed User
I prefer php because here you can add a lot of logic. Examples: User credentials, encryption, RSA sign & verify messages, send mails, fcm messages and so on. PHP is a standard which runs on almost any platform.

jRDC is just a db access.
 
Upvote 0

ilan

Expert
Licensed User
The logic is written in the server app.
Php is also great for it. I use both in different projects. The benefits with php is that you can run it on shared hosting. Not like a b4j server. The downside is thats its completly different language then java or js and ofcourse b4x. The syntex is a little bit complicated.
 
Upvote 0

tigrot

Well-Known Member
Licensed User
The logic is written in the server app.
Php is also great for it. I use both in different projects. The benefits with php is that you can run it on shared hosting. Not like a b4j server. The downside is thats its completly different language then java or js and ofcourse b4x. The syntex is a little bit complicated.
I love PHP, it's so simple to use and a few sentences build a service. My support for app's is built interely on it, since they work on shared hosts.
 
Upvote 0

EnriqueGonzalez

Well-Known Member
Licensed User
my 2 cents on this thread is: security depends on the developer and on the user not on the language/library/os/vm they are using, if the developer uses bad practices the system will be insecure.

Security is already so tighten when applying the correct measures that we developers must focus on UX rather than actual security mechanics, this is because the easier for the user is to apply security within our systems these will be safer.
 
Upvote 0

oparra

Well-Known Member
Licensed User
The logic is written in the server app.
Php is also great for it. I use both in different projects. The benefits with php is that you can run it on shared hosting. Not like a b4j server. The downside is thats its completly different language then java or js and ofcourse b4x. The syntex is a little bit complicated.
There are many RestFull api frameworks that you can use for PHP, Node, JAVA, .Net, etc.

and you don't need to be an expert developer to use them.
 
Last edited:
Upvote 0

oparra

Well-Known Member
Licensed User
bad.
Public WWW directory, But the PHP Config file (with credentials) is stored outside of the public directory root and called by the working script with "Include" keyword.
You must put your project in an alias or virtual directory with restricted access permissions.
 
Upvote 0
Top