stackoom
  简体   繁体   中英

Secure communication between Objective-C application and MySQL with PHP

 原文  2014-05-21 15:56:29       php/ mysql/ objective-c

Question

I built an application in an objective c that performs user registration into DataBase (MYSQL) using PHP with METHOD - GET. Is there any way for me to know if the received parameters came through the app and not via computer or manually? I mean, anyone can discover the address of the server running the PHP code and embed some manually parameters as: reg.php?name=someuser&pass=password.

2 answers

solution1
 0  2014-05-21 16:09:35

The short answer is that yes, this is a security vulnerability.

Resolving this security vulnerability via $_POST Method

If you were to use the $_POST method instead, name and pass would be passed in the document's headers; going undetected in the URL. Then your web application could test for the presence of these variables, which would allow you to reject users who try to access the script from outside of your Obj-C app.

Better yet, also include a security token or hash parameter in the $_POST method, and test for the presence of that in your web application. On top of this, don't forget to clean your input before you allow it to touch your database, as an extra safety precaution.

Fixing further security issues & vulnerabilities

  • The web application might use HTTPS.
  • Should check for the presence of other environment variables to indicate if the client is accessing your website from the Obj-C environment.

solution2
 0  2014-05-21 16:09:49

If your application has some kind of secret token and you use HTTPS with certificate validation then it's less likely to be a problem.

Remember that the contents of your application can be read by the user if they're determined, and the contents of your API calls can be intercepted and examined with a proxy application if you're not careful to validate the SSL endpoint against known-good certificates.

Normally registrations are sent via POST, not GET.

You can either transmit the secret directly, as a sort of proof that you're using the Objective-C application, or to make it harder to discover, then by signing your request using something like SHA256 where that secret is a salt.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure communication between PHP and C# Secure socket communication between PHP and C++ JSON Objects between PHP and Objective-C secure communication between two application PHP to Objective-C Secure communication between a C# client and a PHP Server Communication between C++ and existing PHP application How to exchange data between Objective-C and PHP From PHP/MySQL/JSON to iOS/Objective-C/SQLite Display GET data from PHP MySQL in Xcode 8 (Objective-c)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM