PHP coders help pls *-*-*-*

Douglas Farias

Expert
Licensed User
Longtime User
PHP:
<?

$databasehost = "localhost";
$databasename = "";
$databaseusername ="";
$databasepassword = "";

$con = mysql_connect($databasehost,$databaseusername,$databasepassword) or die(mysql_error());
mysql_select_db($databasename) or die(mysql_error());
mysql_query("SET CHARACTER SET utf8");
$query = file_get_contents("php://input");
$sth = mysql_query($query);

if (mysql_errno()) {
    header("HTTP/1.1 500 Internal Server Error");
    echo $query.'\n';
    echo mysql_error();
}
else
{
    $rows = array();
    while($r = mysql_fetch_assoc($sth)) {
        $rows[] = $r;
    }
    print json_encode($rows);
}
?>

how can i protect this file for use on my apps?
this code is on many tutorials on the forum, many times i see this code on the forum
but this code is not safe, how to make this safe?
have a way to only my app can use this file on my site? and not all users
site.com/file.php << can i block this for all users and only my app can use this?

pls help me *-* what can i make to total protect this files and made my querys safe?


http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

http://www.b4x.com/android/forum/th...tputils2-part-3-php-mysql-json.42663/#content
 

Douglas Farias

Expert
Licensed User
Longtime User
PHP:
mysql_query("SET CHARACTER SET utf8")
$query = file_get_contents("php://input"); // this line is note safe
 

abhishek007p

Active Member
Licensed User
Longtime User
PHP:
<?

$databasehost = "localhost";
$databasename = "";
$databaseusername ="";
$databasepassword = "";

$con = mysql_connect($databasehost,$databaseusername,$databasepassword) or die(mysql_error());
mysql_select_db($databasename) or die(mysql_error());
mysql_query("SET CHARACTER SET utf8");
$query = file_get_contents("php://input");
$sth = mysql_query($query);

if (mysql_errno()) {
    header("HTTP/1.1 500 Internal Server Error");
    echo $query.'\n';
    echo mysql_error();
}
else
{
    $rows = array();
    while($r = mysql_fetch_assoc($sth)) {
        $rows[] = $r;
    }
    print json_encode($rows);
}
?>

how can i protect this file for use on my apps?
this code is on many tutorials on the forum, many times i see this code on the forum
but this code is not safe, how to make this safe?
have a way to only my app can use this file on my site? and not all users
site.com/file.php << can i block this for all users and only my app can use this?

pls help me *-* what can i make to total protect this files and made my querys safe?


http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

http://www.b4x.com/android/forum/th...tputils2-part-3-php-mysql-json.42663/#content

how about passing your apllication id when you request (com.yourappname...etc.) or a secret key to verify the request is coming from your app?..

EDIT: nevermind, i think this is problem is not related to b4a right?.. haha
 

Douglas Farias

Expert
Licensed User
Longtime User
PHP:
<?

// Connection Array
$mysql = array(
    'dbserver' => "localhost",
    'database' => "",
    'username' => "",
    'password' => "");

// Connect To Database
$con = mysql_connect($mysql['database'], $mysql['username'], $mysql['password']) or die(mysql_error());
mysql_query("SET CHARACTER SET utf8");

// Sanitize Input
function anti_inject($input) {
    $input = preg_replace("/[^a-zA-Z0-9]/", "", $input);
    return $input;
}

// Execute Code
$action = anti_inject($_POST['action']);

switch ($action) {
    case 1:
        $query = "SELECT * FROM series";
        break;
    case 2:
        $query = "SELECT * FROM something";
        break;
}

$sth = mysql_query($query);

if (mysql_errno()) {
    header("HTTP/1.1 500 Internal Server Error");
    echo $query.'\n';
    echo mysql_error();
} else {
    $rows = array();
    while($r = mysql_fetch_assoc($sth)) {
        $rows[] = $r;
    }
    print json_encode($rows);
}

?>

i make this but i dont think this is totaly safe
 

Douglas Farias

Expert
Licensed User
Longtime User
how about passing your apllication id when you request (com.yourappname...etc.) or a secret key to verify the request is coming from your app?..

EDIT: nevermind, i think this is problem is not related to b4a right?.. haha

all apps with the original code can be hacked xD
only use a packet tracer get the url and make a party xD
 

WAZUMBi

Well-Known Member
Licensed User
Longtime User
Again I am not seeing why you don't think this code is safe.

"php://input" gets the POST date as a single string.

Some of the examples you referred to are bad in that some are sending the SQL query from the app directly to the server.

Hence the use of
B4X:
$query = file_get_contents("php://input");
$sth = mysql_query($query);
This of course is a very bad idea.

You can use php://input to get your post data as a single string and then parse it but you are only sending one variable - action.
 

DonManfred

Expert
Licensed User
Longtime User
Again I am not seeing why you don't think this code is safe.
The complete sql-statement is send from within app. Easy to decompile apkand get more infos about databasestructure.
It is OPEN for SQL-Injections of any kind too

See this too http://xkcd.com/327/
 
Last edited:

WAZUMBi

Well-Known Member
Licensed User
Longtime User
I don't see any injection here. He is using 'action' as a key to select to proper query however it is not acually used in the query.

A good choice would be if the key is not valid then simple exit the script.
I would add:
B4X:
switch ($action) {
    case 1:
        $query = "SELECT * FROM series";
        break;
    case 2:
        $query = "SELECT * FROM something";
        break;
     default:
        die();
}
 

DonManfred

Expert
Licensed User
Longtime User
I don't see any injection here.
Someone can easily sniff database-statements and can easy use his own statement. In this case no need to inject something. If i want i just need to just send ANY sqlstatement to the php and the php will run it for me.
B4X:
$query = file_get_contents("php://input");
DROP TABLE series;DROP TABLE something;
:D
 

WAZUMBi

Well-Known Member
Licensed User
Longtime User
Absolutely correct.

That's why sending complete SQL statements is very bad.
I've never really seen the practical purpose of using
php://input
for this anyways.

I've said before never send somplete SQL statements. This is just wrong.
You are exposing your database structure.

Why not just send the individual parameters and then validate them server side?
Even then select only the columns you need.

Only return the individual results. I suppose this is where JSON may fail in this case.
I create custom return strings and separate the results with custom separators such as '???' or something else random like '[!->'.
I then parse the result in the app. This hides any possible columns or datase parameters.

Also, why enable your database user to DROP ANYTHING from an app in the first place?
He needs to limit the user access to his database.
 
Top