PHP coders help pls ---

Douglas Farias · Nov 6, 2014

PHP:

<?

$databasehost = "localhost";
$databasename = "";
$databaseusername ="";
$databasepassword = "";

$con = mysql_connect($databasehost,$databaseusername,$databasepassword) or die(mysql_error());
mysql_select_db($databasename) or die(mysql_error());
mysql_query("SET CHARACTER SET utf8");
$query = file_get_contents("php://input");
$sth = mysql_query($query);

if (mysql_errno()) {
    header("HTTP/1.1 500 Internal Server Error");
    echo $query.'\n';
    echo mysql_error();
}
else
{
    $rows = array();
    while($r = mysql_fetch_assoc($sth)) {
        $rows[] = $r;
    }
    print json_encode($rows);
}
?>

how can i protect this file for use on my apps?
this code is on many tutorials on the forum, many times i see this code on the forum
but this code is not safe, how to make this safe?
have a way to only my app can use this file on my site? and not all users
site.com/file.php << can i block this for all users and only my app can use this?

pls help me *-* what can i make to total protect this files and made my querys safe?

http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

http://www.b4x.com/android/forum/th...tputils2-part-3-php-mysql-json.42663/#content

WAZUMBi · Nov 6, 2014

Why is it not safe?

WAZUMBi · Nov 6, 2014

You should check out
http://www.w3schools.com/php/

This is by far the best resource for PHP and SQL programming. I use this site almost daily.

Douglas Farias · Nov 6, 2014

PHP:

mysql_query("SET CHARACTER SET utf8")
$query = file_get_contents("php://input"); // this line is note safe

abhishek007p · Nov 6, 2014

Douglas Farias said:
PHP:

<? $databasehost = "localhost"; $databasename = ""; $databaseusername =""; $databasepassword = ""; $con = mysql_connect($databasehost,$databaseusername,$databasepassword) or die(mysql_error()); mysql_select_db($databasename) or die(mysql_error()); mysql_query("SET CHARACTER SET utf8"); $query = file_get_contents("php://input"); $sth = mysql_query($query); if (mysql_errno()) { header("HTTP/1.1 500 Internal Server Error"); echo $query.'\n'; echo mysql_error(); } else { $rows = array(); while($r = mysql_fetch_assoc($sth)) { $rows[] = $r; } print json_encode($rows); } ?>

how can i protect this file for use on my apps?
this code is on many tutorials on the forum, many times i see this code on the forum
but this code is not safe, how to make this safe?
have a way to only my app can use this file on my site? and not all users
site.com/file.php << can i block this for all users and only my app can use this?

pls help me *-* what can i make to total protect this files and made my querys safe?

http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

http://www.b4x.com/android/forum/th...tputils2-part-3-php-mysql-json.42663/#content

how about passing your apllication id when you request (com.yourappname...etc.) or a secret key to verify the request is coming from your app?..

EDIT: nevermind, i think this is problem is not related to b4a right?.. haha

Douglas Farias · Nov 6, 2014

PHP:

<?

// Connection Array
$mysql = array(
    'dbserver' => "localhost",
    'database' => "",
    'username' => "",
    'password' => "");

// Connect To Database
$con = mysql_connect($mysql['database'], $mysql['username'], $mysql['password']) or die(mysql_error());
mysql_query("SET CHARACTER SET utf8");

// Sanitize Input
function anti_inject($input) {
    $input = preg_replace("/[^a-zA-Z0-9]/", "", $input);
    return $input;
}

// Execute Code
$action = anti_inject($_POST['action']);

switch ($action) {
    case 1:
        $query = "SELECT * FROM series";
        break;
    case 2:
        $query = "SELECT * FROM something";
        break;
}

$sth = mysql_query($query);

if (mysql_errno()) {
    header("HTTP/1.1 500 Internal Server Error");
    echo $query.'\n';
    echo mysql_error();
} else {
    $rows = array();
    while($r = mysql_fetch_assoc($sth)) {
        $rows[] = $r;
    }
    print json_encode($rows);
}

?>

i make this but i dont think this is totaly safe

Douglas Farias · Nov 6, 2014

how about passing your apllication id when you request (com.yourappname...etc.) or a secret key to verify the request is coming from your app?..

EDIT: nevermind, i think this is problem is not related to b4a right?.. haha

all apps with the original code can be hacked xD
only use a packet tracer get the url and make a party xD

WAZUMBi · Nov 6, 2014

Again I am not seeing why you don't think this code is safe.

"php://input" gets the POST date as a single string.

Some of the examples you referred to are bad in that some are sending the SQL query from the app directly to the server.

Hence the use of

B4X:

$query = file_get_contents("php://input");
$sth = mysql_query($query);

This of course is a very bad idea.

You can use php://input to get your post data as a single string and then parse it but you are only sending one variable - action.

DonManfred · Nov 6, 2014

WAZUMBi said:
Again I am not seeing why you don't think this code is safe.

The complete sql-statement is send from within app. Easy to decompile apkand get more infos about databasestructure.
It is OPEN for SQL-Injections of any kind too

See this too http://xkcd.com/327/

DonManfred · Nov 6, 2014

Have a look at this post too

WAZUMBi · Nov 6, 2014

I don't see any injection here. He is using 'action' as a key to select to proper query however it is not acually used in the query.

A good choice would be if the key is not valid then simple exit the script.
I would add:

B4X:

switch ($action) {
    case 1:
        $query = "SELECT * FROM series";
        break;
    case 2:
        $query = "SELECT * FROM something";
        break;
     default:
        die();
}

DonManfred · Nov 6, 2014

WAZUMBi said:
I don't see any injection here.

Someone can easily sniff database-statements and can easy use his own statement. In this case no need to inject something. If i want i just need to just send ANY sqlstatement to the php and the php will run it for me.

B4X:

$query = file_get_contents("php://input");

DROP TABLE series;DROP TABLE something;

WAZUMBi · Nov 6, 2014

Absolutely correct.

That's why sending complete SQL statements is very bad.
I've never really seen the practical purpose of using
php://input
for this anyways.

I've said before never send somplete SQL statements. This is just wrong.
You are exposing your database structure.

Why not just send the individual parameters and then validate them server side?
Even then select only the columns you need.

Only return the individual results. I suppose this is where JSON may fail in this case.
I create custom return strings and separate the results with custom separators such as '???' or something else random like '[!->'.
I then parse the result in the app. This hides any possible columns or datase parameters.

Also, why enable your database user to DROP ANYTHING from an app in the first place?
He needs to limit the user access to his database.

PHP coders help pls ---

Douglas Farias

Expert

WAZUMBi

Well-Known Member

WAZUMBi

Well-Known Member

Douglas Farias

Expert

abhishek007p

Active Member

Douglas Farias

Expert

Douglas Farias

Expert

WAZUMBi

Well-Known Member

DonManfred

Expert

DonManfred

Expert

WAZUMBi

Well-Known Member

DonManfred

Expert

WAZUMBi

Well-Known Member

PHP coders help pls *-*-*-*

Expert

Well-Known Member

Well-Known Member

Expert

Active Member

Expert

Expert

Well-Known Member

Expert

Expert

Well-Known Member

Expert

Well-Known Member

PHP coders help pls ---