限制对php文件的访问

Question

I'm currently writing an Android app at the moment, that accesses a PHP file on my server and displays JSON data provided by my MYSQL database.

Everything works great and I love the simplicity of it, but I'm not too comfortable with the fact that someone could just type in the URL of this PHP file and be presented with a page full of potentially sensitive data.

What advice would you give me to prevent access to this PHP file from anyone except those using my android app?

Thanks very much for any information.

Answer 1

The keyword is authentication. HTTP-Authentication is designed just for that purpose!

There are 2 forms of HTTP-auth:

1. Basic: easy to setup, less secure

2. Digest: harder to setup, more secure

   • Here is the php manual.
   • And this is what you can do in your android app.

Answer 2

There isn't really a fool-proof way to do this. However you can require the user agent to match that of your application. You can also hide a private key in your application that is passed as POST data to your PHP file. Now, neither of these will stop someone who is determined to get at the raw output, but it will slow down the people who are just screwing around killing a little time seeing what they can accomplish.

Answer 3

Why not only enable a valid response if the request is sent with the following header:

Content-Type=application/json

If the request doesn't pass it as the Content-Type , then you just terminate the script (as regular browsers usually want to get text/html or similar things). It's not really worth locking everything tight shut, as if your app can get the data from your server, any user would have the opportunity too.