Hello,
I have asked this question before, some people gave some ideas but I couldnt truly understand what to do to maintain the security of my mysql server via connection via php.
This situation is this :
I have a php file on the server and also at the same server the mysql db. I directly pass the statement to sql server via php. I have only a little security which i am having troubles stopping people do unathorized things. I edited the php ( with a help of my friend ) to accept only the queries starting with a passcode for example " 123456SELECET * from tblcars" is accepted not "select * from tblcars".
But still having problems. I think it is not a good protection
Erel , in his tutorial says that "You have several options for the web service implementation. You can create several prepared statements which will be filled with parameters passed in the request".Now, in my previous topic, people said that anyone can sniff the code inside your app. The thing I do not understand is , if anyone can sniff the code in my app than he can also sniff the filling paramters as Erel suggested and pass any request that way.
I need a strong solution for this. For example can defining a password in proceses globals as string and sending queries with this string be successful or what can I do ?
I really need suggesstions. ( I know Erel will come and say use RDC but i cant change the whole code because at the begining of the project i didnt coose to use rdc :/ )
also, if I use a php in a server that uses https ( ssl ) is it secure to send query with a passcode i provided a example above ?
Thank you
I have asked this question before, some people gave some ideas but I couldnt truly understand what to do to maintain the security of my mysql server via connection via php.
This situation is this :
I have a php file on the server and also at the same server the mysql db. I directly pass the statement to sql server via php. I have only a little security which i am having troubles stopping people do unathorized things. I edited the php ( with a help of my friend ) to accept only the queries starting with a passcode for example " 123456SELECET * from tblcars" is accepted not "select * from tblcars".
But still having problems. I think it is not a good protection
Erel , in his tutorial says that "You have several options for the web service implementation. You can create several prepared statements which will be filled with parameters passed in the request".Now, in my previous topic, people said that anyone can sniff the code inside your app. The thing I do not understand is , if anyone can sniff the code in my app than he can also sniff the filling paramters as Erel suggested and pass any request that way.
I need a strong solution for this. For example can defining a password in proceses globals as string and sending queries with this string be successful or what can I do ?
I really need suggesstions. ( I know Erel will come and say use RDC but i cant change the whole code because at the begining of the project i didnt coose to use rdc :/ )
also, if I use a php in a server that uses https ( ssl ) is it secure to send query with a passcode i provided a example above ?
Thank you
Last edited: