简体繁体 English

mySQL之间安全地传输数据

[英]Securely transfer data between iOS -> php -> mySQL

原文 2014-09-26 01:40:03 9 3 php/ mysql/ ios/ security/ web

Basically I have the iOS app that sends a POST request to a php file on my website containing its location, and then the php file connects/sends that to the mySQL database, and vice-versa. 基本上，我有一个iOS应用程序，它将POST请求发送到包含其位置的网站上的php文件，然后php文件将其连接/发送到mySQL数据库，反之亦然。 Everything works fine, etc. but what I really want is a way to make sure nobody can make some bogus script sending a POST request to my php file, and infiltrating the database. 一切正常，等等。但是我真正想要的是确保没有人可以制作一些假脚本来向我的php文件发送POST请求并渗透数据库。

My first thought was to have some sort of "key" that would also be sent to check if it matches the one in the php file. 我的第一个想法是拥有某种“钥匙”，该钥匙也将被发送来检查它是否与php文件中的钥匙匹配。 I could have it be something like this https://www.grc.com/passwords.htm . 我可以像这样https://www.grc.com/passwords.htm 。 Anyways, I worry that this isn't as secure (or efficient) as I might want. 无论如何，我担心这并没有我想要的安全（或有效）。 The person reviewing my code for acceptance into the App Store would see it, right? 查看我的代码以接受App Store的人会看到它，对吗？

Sorry if this is a stupid question, but what is the best way to ensure only I can send/receive data from the mySQL database (and thus the PHP file)? 抱歉，如果这是一个愚蠢的问题，但是确保仅我可以从mySQL数据库（从而从PHP文件）发送/接收数据的最佳方法是什么？

Thanks! 谢谢！

3 个解决方案

Jajaja "Sorry if this is a stupid question". Jajaja“对不起，如果这是一个愚蠢的问题”。 There is never a stupid question, unless you do not have the desire to learn. 除非您没有学习的欲望，否则永远不会有一个愚蠢的问题。

I also had a question like, and it's true that you want to secure the data that you manipulate because it is very important. 我也有一个类似的问题，您确实想保护要处理的数据，因为这非常重要。 You have to see both client side and server. 您必须同时看到客户端和服务器。

For example, in the client side: 例如，在客户端：

1) Are you sending data to the server so that this may not be legible? 1）您是否正在将数据发送到服务器，以使这可能难以辨认？

2) Are you using https? 2）您是否使用https？

Or in server: 或在服务器中：

1) Are you server is capable of recognizing when data arrives it reliable? 1）您的服务器能够识别数据何时到达可靠吗？

2) Do you use any algorithm encrypt for your data? 2）您是否使用任何算法对数据进行加密？ client encrypt and server descrypt or viceversa? 客户端加密和服务器解密，反之亦然？

Not always because they use a key, will be always safe. 并非总是因为他们使用密钥，所以总是安全的。 I hope that works for you and apologize for my English :) 希望对您有用，并为我的英语道歉:)

• Send it over SSL •通过SSL发送

• Implement SSL Pinning in your app •在您的应用程序中实现SSL固定

• Optionally hash all or parts of your data/query parameters, etc with a salt and pass this hash along with the rest. •（可选）使用盐对全部或部分数据/查询参数等进行哈希处理，并将此哈希值与其余哈希值一起传递。 On the server hash/salt the parameters/data etc and verify the salt matches. 在服务器上哈希/加盐参数/数据等，并验证盐是否匹配。 They would have to bypass ssl, your pinning, and then RE your app to extract the approach you took to applying your salt as well as the salt itself. 他们将不得不绕过ssl，您的固定，然后重新开发您的应用，以提取应用盐以及盐本身所采用的方法。 example here 这里的例子

• As for the php/server side you would want to sanitize anything going to mysql. •至于php / server端，您要清除所有要转到mysql的内容。 Example 例

This is a "start". 这是一个“开始”。

The crux of the question seems to be: "infiltrating the database". 问题的症结似乎是：“渗透数据库”。

Avoiding this is accomplished by never issuing user created commands to the db. 避免此问题的方法是从不向数据库发出用户创建的命令。 Intercept all user requests, parse, validate and extract the information. 拦截所有用户请求，解析，验证和提取信息。 If all is good your code makes a request to the db with sanitized parameters. 如果一切顺利，您的代码将使用经过清理的参数向数据库发出请求。

SSL will protect the data in transit. SSL将保护传输中的数据。 You also need to protect against an attacker that creates an attack request. 您还需要防止创建攻击请求的攻击者。