Android Question Sending SQL commands to remote server.

Derek Jee

Active Member
Licensed User
Longtime User
Hi there

http://www.b4x.com/android/forum/threads/connect-android-to-ms-sql-server-tutorial.13166/

I am currently testing the above example which allows me to pass SQL to my API and execute it. This in turn replies with some results delivered in JSON format. My client is worried that there could be problems sending the direct SQL down to SQL injections etc. They are even worried that someone could decompile the app and get to any encryption settings to get at data that way too and maybe be able to send a delete all command (paranoid at its best but I guess they are very security conscious). They also want me to send and receive the data in JSON format so no SQL is sent and the API is doing all of the rebuilding of it.

Just wondering if there was an example out there which fits my circumstances, just sending JSON both ways..

Thank you..


Derek.
 

JTmartins

Active Member
Licensed User
Longtime User
You can try to store all the SQL queries in the script running on the server.

Each SQL query would be identified by a code (a string).

From your app you would do a POST with the code string.

Then on the server side you would do a GET to check the code and execute the apropriate SQL query returning the apropriate Json. Any other thing sent to the server would be refused.

This is boring work specially if you have lots of different queries, but is safer than sending direct SQL queries. Also, if you do not need DELETES or other stuff, ensure that the mSQL user used by the service is only granted the privileges needed. So if you just need to READ from the DBASE you should revoke INSERT,UPDATE and DELETE privileges.

José
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
You need to write your own "bridge"... It could be for ex. a php-script which get the parameters as json, do the sql-logic and return the result as json back to your app. All sql-logic (Querys & Co) is inside the php-script on your server. No chance for any one who decompiles your app to get the sql-querys.
 
Upvote 0

Derek Jee

Active Member
Licensed User
Longtime User
Thank you José and Manfred.. The one I have is in ASP.net which I will try to modify to suit. Thanks for the tips and I will just JSON it all and let the server do the work. Is it worth encrypting the strings I am sending both ways? I am looking forward to the boring bit, José ;-)

Thank you gents..


Derek.
 
Upvote 0

Reviewnow

Active Member
Licensed User
Longtime User
Consider using soap web services as a backend in your asp.net application model along with authentication , you could then return xml or json over https protocol
 
Upvote 0
Top