Android Question ExecuteRemoteQuery: More Security?

KMatle

Expert
Licensed User
Longtime User
Hi guys,

I played a bit with ExecuteRemoteQuery and it works perfect. I was able to handle several tables. Very nice!

As it calls a php script which will execute any given SQL on my server I wonder how to get more security on this.

Someone could disassemble my code to get the names of the script called and the table structures.

Any suggestions for me?
 
Sort by date Sort by votes

DonManfred

Expert
Licensed User
Longtime User
I´m using the httputils2 too for all i need. But i dont put the SQLs into my app.

I just call a php script with some parameters.

B4X: 
  Dim Job As HttpJob
  Job.Initialize(dummy, Me)
  Job.JobName = "AddToCart"
  Job.Tag = akt_art.Get("artID")
  Job.download2("http://domain.tld/b4a.php", Array As String( _
           "action", "AddToCart", _
           "DeviceID", DeviceID, _
           "SimSerialNumber", SimSerialNumber, _
           "SubscriberID", SubscriberID, _
           "artID", akt_art.Get("artID"), _
           "lager", dropdown_lager.GetItem(dropdown_lager.SelectedIndex), _
           "anzahl", edt.Text _
         ))

i do everything like this one... Calling the php and give all parameters i need in php and return json from php.

i use the parameters
B4X: 
"DeviceID", DeviceID, _
"SimSerialNumber", SimSerialNumber, _
"SubscriberID", SubscriberID, _

to authenticate the call from our customerdatabase... Combinations of this three parameters (i get them from phone-library) which are unknow cannot use the app.

It´s a limited usergroup which uses my apps (i´m in community since 1 year) but for them this authentification works fine
 
Upvote 0

KMatle

Expert
Licensed User
Longtime User
@DonManfred

I used your example but I got some problems with my php script. Could you please post the php counterpart here? Thanks!

What I've done is: Use "Get" to get the variables. But when I try to connect to the DB MySQL ist returning "Can’t connect to local MySQL server through socket /tmp/mysql.sock" (I'm using it on a hosted server).

Using RemoteQuery works without a problem.
 
Upvote 0

nwhitfield

Active Member
Licensed User
Longtime User
I do something similar to DonManfred; there are a lot of people out there who, if they find a site that has a SQL server, will spend hours throwing everything they possible can at it, to try and find a way in.

So, instead of talking to the server directly, I created an API script in PHP for my site's database, defining specific commands and their parameters, and the JSON format in which I'll return information. It accepts commands via POST, and returns JSON - and it also has the advantage that, if I decide I want to change the way the database works, as long as the parameters and JSON results stay the same, I don't have to change anything in the app; so, I just call the api using http2utils like this

B4X: 
Dim loginCall As HttpJob
loginCall.Initialize("auth",Me)
loginCall.PostString(BLUF.apiURL, "ACTION=login&APPKEY=" & BLUF.loginKey & "&USERKEY=" & BLUF.authCode)

If you're only doing a few simple things with your app, creating a whole API system is very probably overkill. But if you have lots of different tasks, and want to abstract everything, then it may well be worth the extra work involved.

On a side note, there are two reasons why my API uses POST rather than GET. Firstly (and potentially important on a shared server, where you may not be sure of all the security) it avoids parameters appearing in the server log files, which might compromise info, and secondly, it's very easy to POST information from jQuery, which means it's very quick to write web apps that interact with the server too.
 
Upvote 0

KMatle

Expert
Licensed User
Longtime User
Thanks for your fast reply. I solved it

For security reasons I include another php file with user, pw, etc. I have just forgotten to copy it in my new folder Stupid me...

Will try your solution, too @nwhitfield
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Article
Share My Creation (PHP/MySQL/API) User Login App
4 5 6
Replies
108
Views
47K
aeric
P
  • Question
Android Question ExecuteRemoteQuery to Update Table
Replies
5
Views
1K
Puthut Wibowo
P
  • Question
Android Question ExecuteRemoteQuery And Service
Replies
4
Views
2K
MarcoRome
B
  • Question
Android Question ExecuteRemoteQuery
Replies
4
Views
2K
Erel
M
  • Question
MULIPLE INSERTS ExecuteRemoteQuery
Replies
3
Views
3K
Erel
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…