Best way to upload file with B4J to a server (supports html, php) ?

Magma · Aug 24, 2022

Hi there...

What is the best and the most secure way to upload a file from a b4j app (client) to a server (a web-page actually that will not have the "power" to run a b4j app)... using html - php... but caution with the best security we can...

The data is under 2kb... thought i can Post... them (also thought have ?username=xxxx&pass=xxxxxxxxx) and then write them at a DB as a record to a string field... but is it real the best way and the most secure ?

Any idea...

hatzisn · Aug 24, 2022

What I have done is create my own encryption algorythm and implement it in both sides. Then I read the file to a byte array, encrypt this bytearray and convert it to base64 string which I url encode and add it in a JSON. Then I post this JSON to the web page with https. The page gets the file base64 string, URL decodes it, gets it back to byte array which decrypts it and writes it to the local directory (but it can be saved turning the decrypted data again to base64 in a database).

Magma · Aug 24, 2022

Is it safe to be as a file in the directory or is it safer at a db ?

hatzisn · Aug 24, 2022

The safer is in a database if the directory you save it is accessible through the internet. I quited the ASP.NET shared hosting and turned to a vps which I have full access and can save it in a directory not accessible through the internet - so no problem.

KMatle · Aug 24, 2022

Agree (with small filesizes). I exchange RSA keys to sign the data you post to the server (sign = to be sure that the data comes from xyz) . The data itsself is encrypted via AES256. In php you can decrypt it, check the signature and store it wherever you like. For bigger data I would store an index in the db and store the file to a folder outside htdocs. So you have a small db (think about backups, too) and one folder (here you can decide what to backup like only today's files because older ones have been backuped, yet).

Use a map (or a list with maps) converted to a JSON string. PHP (and any other language) can handle it very easy.

EnriqueGonzalez · Aug 25, 2022

Magma said:
most secure way to upload a file from a b4j app

the only thing you can safely do is use HTTPS.

you may try to encrypt the file, but if you are using a predetermined password for that then is useless, there is no feasible way to protect the password, any hacker can read the network, system or any other solution you may come up to.

if you think that the password will be safe within the jar file, that would be completly incorrect. even you use a .so file or a .dll file it would be useless, any person can attach a process in a java machine and hear anything happening on it.

best way is to ask for a user to use their own password, that way you can encrypt on one side and decrypt on the other. dont send the password, you should have it on your server.

Magma said:
Is it safe to be as a file in the directory or is it safer at a db ?

both are unsafe if the server is vunerable, if a hacker have access to the server consider all the info stolen. if the hacker doesnt have access to the server then its the same for both solutions.

Magma said:
but is it real the best way and the most secure ?

yes! just use https!! any other stuff you may come up to is snake oil!

that being said. protect your server. dont disclose your ip (hide it behind a proxy like clouldflare) firewall should always be restricted, anyway to acces the server (sftp, ssh) should have the maximum restrictions possible.

Magma · Aug 25, 2022

EnriqueGonzalez said:
the only thing you can safely do is use HTTPS.

you may try to encrypt the file, but if you are using a predetermined password for that then is useless, there is no feasible way to protect the password, any hacker can read the network, system or any other solution you may come up to.

if you think that the password will be safe within the jar file, that would be completly incorrect. even you use a .so file or a .dll file it would be useless, any person can attach a process in a java machine and hear anything happening on it.

best way is to ask for a user to use their own password, that way you can encrypt on one side and decrypt on the other. dont send the password, you should have it on your server.

both are unsafe if the server is vunerable, if a hacker have access to the server consider all the info stolen. if the hacker doesnt have access to the server then its the same for both solutions.

yes! just use https!! any other stuff you may come up to is snake oil!

that being said. protect your server. dont disclose your ip (hide it behind a proxy like clouldflare) firewall should always be restricted, anyway to acces the server (sftp, ssh) should have the maximum restrictions possible.

what about using https + with custom certificate created by me (using it at client too) + db ?

EnriqueGonzalez · Aug 25, 2022

Magma said:
what about using https + with custom certificate

that is just https with extra steps don`t you think?
the custom certificate is good enough when you control the client and want it to be validated by the server.
But if you dont control the client you cant distribute the custom certificate.

Magma said:
db

as mentioned in my first post, it could be a text file where you store the data if server is compromised it doesnt matter where you stored the info.

usually you want to store the info (doesnt matter where) encrypted. if its password then it should be hashed + salted + peppered (not my words lol) if its important info, just salted and peppered (hashing is a one way encryption)

Best way to upload file with B4J to a server (supports html, php) ?

Magma

Expert

hatzisn

Expert

Magma

Expert

hatzisn

Expert

KMatle

Expert

EnriqueGonzalez

Expert

Magma

Expert

EnriqueGonzalez

Expert