Android Question Security issue for connection to mysql with a php file

tufanv

Expert
Licensed User
Longtime User
Hello,

I have asked this question before, some people gave some ideas but I couldnt truly understand what to do to maintain the security of my mysql server via connection via php.

This situation is this :
I have a php file on the server and also at the same server the mysql db. I directly pass the statement to sql server via php. I have only a little security which i am having troubles stopping people do unathorized things. I edited the php ( with a help of my friend ) to accept only the queries starting with a passcode for example " 123456SELECET * from tblcars" is accepted not "select * from tblcars".
But still having problems. I think it is not a good protection:)

Erel , in his tutorial says that "You have several options for the web service implementation. You can create several prepared statements which will be filled with parameters passed in the request".Now, in my previous topic, people said that anyone can sniff the code inside your app. The thing I do not understand is , if anyone can sniff the code in my app than he can also sniff the filling paramters as Erel suggested and pass any request that way.

I need a strong solution for this. For example can defining a password in proceses globals as string and sending queries with this string be successful or what can I do ?

I really need suggesstions. ( I know Erel will come and say use RDC but i cant change the whole code because at the begining of the project i didnt coose to use rdc :/ )

also, if I use a php in a server that uses https ( ssl ) is it secure to send query with a passcode i provided a example above ?
Thank you
 
Last edited:

WAZUMBi

Well-Known Member
Licensed User
Longtime User
Encode passwords.
Don't send query strings with the actual sql statement. Only send variables.
Give your variables different names. Don't use the column names in your table.
Use JSON.
Validate all user input on the server side.
 
Upvote 0

tufanv

Expert
Licensed User
Longtime User
I am using all kinds of statements Erel like DELETE , INSERT so with sniffing variables they can also do the same harm i think

I am switching to SSL so i will use https with the password i have mentioned above ? can it work for a better security than the current one ?
Instead of sending the SQL statements you can write the statements in the PHP script and only send the statement "id".

This way hackers will not be able to execute statements other than the ones you defined in your script.
 
Upvote 0

WAZUMBi

Well-Known Member
Licensed User
Longtime User
Are you are sending (and therefore storing in the app code) your database password and user name in the app?
Even if you encode it first this is VERY BAD! .

Your password and user name must only be accessed from the server side.
You have no reason to send or store this information from the app.

Your app customer passwords and user names must be encoded first on the app before sending and then verified on the server side.
 
Upvote 0

tufanv

Expert
Licensed User
Longtime User
Hello Thanks for answers. No I am not storing the passwords in my app. it is in the php. The passcode i am talking about it , i edited te php file to accept only queries starting with the passcode. so i send passcode and query together to php.

Are you are sending (and therefore storing in the app code) your database password and user name in the app?
Even if you encode it first this is VERY BAD! .

Your password and user name must only be accessed from the server side.
You have no reason to send or store this information from the app.

Your app customer passwords and user names must be encoded first on the app before sending and then verified on the server side.
 
Upvote 0

mc73

Well-Known Member
Licensed User
Longtime User
I never send statements. As Erel mentioned above, a good practice is to only send parameters. When they arrive at the server, there should be checks for injections. Another thing that I do, is limiting the length of the parameters, again to avoid injections. Nothing can be 100% safe, on the contrary, if one skillful guy decides to, she can always make damage.
 
Upvote 0

WAZUMBi

Well-Known Member
Licensed User
Longtime User
I can see how this can be confusing and over simplified to inexperienced developers.
The HTTP tutorial does include full queries that are sent to the server which of course is bad.
Most of us see this as being a simple example but to someone not familiar with the topics...:confused:
 
Upvote 0

tufanv

Expert
Licensed User
Longtime User
Ok i will stay with just switching ti https instead of http and pray :)
I can see how this can be confusing and over simplified to inexperienced developers.
The HTTP tutorial does include full queries that are sent to the server which of course is bad.
Most of us see this as being a simple example but to someone not familiar with the topics...:confused:
 
Upvote 0

sirjo66

Well-Known Member
Licensed User
Longtime User
I was the same problem and I solved in this mode:

In client source:
1) prepare the complete SQL command in a string variabile
2) define a password, for example "123456"
3) calculate MD5 of "123456" & "my SQL command"
4) send the request to server with GET or POST in this mode:
http://myserveraddress.com/execute.php?sql=my complete SQL command&chk=my MD5 value

For each SQL command, MD5 value change

On server, in the execute.php program, I do the same control.
Take the sql command, concat with password, calculate MD5 and if it is not the same value I abort the command

If the user don't know password, he can't send any SQL command, and also, if he sniff the communication, he can't read the real password

Sergio
 
Upvote 0

tufanv

Expert
Licensed User
Longtime User
Thank you Sergio !
I was the same problem and I solved in this mode:

In client source:
1) prepare the complete SQL command in a string variabile
2) define a password, for example "123456"
3) calculate MD5 of "123456" & "my SQL command"
4) send the request to server with GET or POST in this mode:
http://myserveraddress.com/execute.php?sql=my complete SQL command&chk=my MD5 value

For each SQL command, MD5 value change

On server, in the execute.php program, I do the same control.
Take the sql command, concat with password, calculate MD5 and if it is not the same value I abort the command

If the user don't know password, he can't send any SQL command, and also, if he sniff the communication, he can't read the real password

Sergio
 
Upvote 0

sirjo66

Well-Known Member
Licensed User
Longtime User
For example, your execute.php may start with:
B4X:
$md5 = md5("123456".$_GET['sql']);

if ($md5 != strtolower($_GET['chk'])) {
   echo "E\nError in chk\nParameter chk not correct\n";
   return;
}

........ execute the command ........
 
Upvote 0

KMatle

Expert
Licensed User
Longtime User
1. NEVER prepare complete SQL-statements inside the APP's code.
2. NEVER store any passwords hardcoded in your APP.

Reason: With some tools one can see the table names and all the culumn names. And probably the passwords, too. That is very problematic. Anyone can execute ANY Sql-Code (Because the script takes any SQL-Code).

To call a php script doing MySql call it with parameters:

B4X:
Dim Update As HttpJob
Update.Initialize("Update", Me)
Update.Download2("http://www.mysite/myphp.php", _
                           Array As String("Action", "Update", "Parm1", "Val1", "Parm2", "Val2"))

Inside the php script:

B4X:
switch ($action) {
    case "Update":
        $p1=$_GET["Parm1"];
        $p2=$_GET["Parm2"];

        $q = mysql_query("Update xxx SET ...WHERE ...");

Clean all Parameters against "bad commands" (SQL-Injection)

B4X:
$p1=mysql_real_escape_string(urldecode($_GET['Parm1']));
$p2=mysql_real_escape_string(urldecode($_GET['Parm2']));

Another idea:

All users of your app have to register and must log in. With the ip-address he/she has while logging in you can check if the device sendig requests is ok.
 
Upvote 0
Top