Of course there is more about to secure data transmissions between clients & servers. Please take this tutorial to think about to secure your communication as good as you can.
With HttpUtils2 you can make requests to servers running PHP (Apache) or other components. This tutorial is about
- the common methods "GET" and "POST" in PHP
- the corresponding methods in HttpUtils2
- where the difference is
- security
Some contents were taken from http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post
When I first started to do an app with B4A I took a look at some examples here in the forum. What I needed was to send a bunch of parameters to a php script on my server. Very fast I cam across HttpUtils with the method "download2" which escapes all parameters (like slashes) which is very comfortable.
It just sends a GET-request with an array of parameters to the given server, path and the called script. Inside the script the parameters P1-P3 (array) can be retrieved like this:
"$_GET" is a PHP command which gets the data from the associated parameter (= value of "P1")
Nice & very easy.
Taking a look to the server log "access.log" (Apache logs any request here) showed my request, to:
Even if it's encrypted, one could copy it and use it again (bad: user login without further checks)
By the way: Typing "servername/Serverfolder/GetExample.php?P1=This+is+P1&P2=This+is+P2&P3=This+is+P3" in your favourite browser would do the same thing.
So this made me wonder a bit:
- Get requests can be seen at least by server admins
- the structure is obviously (the request can be modified or called n-times again with other data)
- existing server folders and scriptnames are public (security!)
Even worse:
So what about usig "POST" instead without using the PHP's post method? Grab all the data and use it instead of getting single fields.
Hm. Not THAT comfortable. Before we had an array which could be expanded very easy. Now it's just a simple string.
One single string sounds good on the other side. It's just a simple string which can be encoded, encrypted and all the things we may want to do. It's much easier to do it with a simple string.
However. As I use a lot of JSON I then just created some similar (I'm lazy and I wanted the comfort of an easy expandable paramater list AND s simple string):
I just put all the parameters in a (array) of maps and all of them in a List which is converted to a JSON-string to use it with "PostString".
The PHP-side:
file_get_contents("php://input") just gets all the data sent to the script (no matter which method). It can receive files, bytes, etc. Nice thing.
In the php script you can identify the same structure as the b4x code to create the JSON-List. Of course it can be done in other ways but I use these little code snippets in many of my b4x apps.
Back to the security benefits
Taking a look to the server log "access.log" again shows this:
As you can see, no data is shown (which is good). Of course an admin needs to see what is called and when (which is ok).
In the future I will use "POST" (PostString) methods as often as I can.
With HttpUtils2 you can make requests to servers running PHP (Apache) or other components. This tutorial is about
- the common methods "GET" and "POST" in PHP
- the corresponding methods in HttpUtils2
- where the difference is
- security
Some contents were taken from http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post
When I first started to do an app with B4A I took a look at some examples here in the forum. What I needed was to send a bunch of parameters to a php script on my server. Very fast I cam across HttpUtils with the method "download2" which escapes all parameters (like slashes) which is very comfortable.
B4X:
Dim GetExample As HttpJob
GetExample.Initialize("GetExample", Me)
GetExample.Download2(servername & "/Serverfolder/GetExample.php", _
Array As String("P1", "This is P1","P2", "This is P2", "P3", "This is P3"))
It just sends a GET-request with an array of parameters to the given server, path and the called script. Inside the script the parameters P1-P3 (array) can be retrieved like this:
B4X:
<?php
$p1=$_GET["P1"];
$p2=$_GET["P2"];
$p3=$_GET["P3"];
echo "Get-Example >>> P1:" . $p1 . " P2: " . $p2 . " P3: " . $p3;
?>
"$_GET" is a PHP command which gets the data from the associated parameter (= value of "P1")
Nice & very easy.
Taking a look to the server log "access.log" (Apache logs any request here) showed my request, to:
B4X:
192.168.178.23 - - [11/Mar/2016:20:40:00 +0100]
"GET //Serverfolder/GetExample.php?P1=This+is+P1&P2=This+is+P2&P3=This+is+P3
HTTP/1.1" 200 59 "-" "-"
Even if it's encrypted, one could copy it and use it again (bad: user login without further checks)
B4X:
192.168.178.23 - - [10/Mar/2016:22:18:33 +0100] "GET /enctrans/enctranssingle.php?Enc%3dLufIZSVR94zL5oQnHJlneWSOdnCrLFDdrv3vqHiL0lRTftogdIuf%2bamKX3%2f4C2xKXOsLvf%2bgMg7lAT20Q1G9E%2f%2f6W2Nn9rOwK%2biwQThTPGbbyPdUzDNaHaNywA03nusFjcBp6HZL5E612JBIat54%2fr2JxZwVnIyyua4HufVVrFcjHEON09U%2beLYOGQYwSGQPNkas%2b%2fFDaXFEc2ZR2Vj0oSpFLDe1rlggnxMbdD%2f%2bYHDPULq009A6yPve%2bmOUJSt8OaiRI%2f84YpWiE%2fQYRDG6oobwiaFbpIAh6H%2faFuCpGkaAcDNHzYtbyzHRwmzY4pyE2Hrc3qz03vO5f5J8zDgbwaC2zKlaKJGDIJZWaj3zmHdOoqerTfkRZhcHlnfUPJ60cfpt2kgVauSX8mrKJvBM2idaKxvm3S3YyXD1S5D5YOUhP%2b5u3wZI%2bNxJhWImfUk1RpCt1rmSPIpGNm5Nzox1On1Duxz5q58K7PxGwapiGSUMoZjWcGxmdGH0E1Jeul9O8RoSOTlDI2zwXWr1BHzapPMeNJAtp2OZj9gBSj
By the way: Typing "servername/Serverfolder/GetExample.php?P1=This+is+P1&P2=This+is+P2&P3=This+is+P3" in your favourite browser would do the same thing.
So this made me wonder a bit:
- Get requests can be seen at least by server admins
- the structure is obviously (the request can be modified or called n-times again with other data)
- existing server folders and scriptnames are public (security!)
Even worse:
- GET requests can be cached
- GET requests can remain in the browser history
- GET requests can be bookmarked
- GET requests can be distributed & shared
- GET requests can be hacked
- GET requests are limited (length)
So what about usig "POST" instead without using the PHP's post method? Grab all the data and use it instead of getting single fields.
B4X:
Dim PostExample As HttpJob
PostExample.Initialize("PostExample", Me)
PostExample.PostString(servername & "/Serverfolder/PostExample.php",SimpleString)
Hm. Not THAT comfortable. Before we had an array which could be expanded very easy. Now it's just a simple string.
One single string sounds good on the other side. It's just a simple string which can be encoded, encrypted and all the things we may want to do. It's much easier to do it with a simple string.
However. As I use a lot of JSON I then just created some similar (I'm lazy and I wanted the comfort of an easy expandable paramater list AND s simple string):
B4X:
Dim JsonList As List
Dim JsonMap As Map
JsonList.Initialize
JsonMap.Initialize
JsonMap.put("P1", "This is P1")
JsonMap.put("P2", "This is P3")
JsonMap.put("P3", "This is P3")
JsonList.add(JsonMap)
Dim JSONGenerator As JSONGenerator
JSONGenerator.Initialize2(JsonList)
Dim JSONstring As String
JSONstring = JSONGenerator.ToString
I just put all the parameters in a (array) of maps and all of them in a List which is converted to a JSON-string to use it with "PostString".
The PHP-side:
B4X:
$JsonString = file_get_contents("php://input");
$JsonList = array();
$JsonMap = array();
$JsonList=json_decode($JsonString, true);
$x = 0;
while($x < count($JsonList)) {
$JsonMap=$JsonList[$x];
$p1=$JsonMap["P1"];
$p2=$JsonMap["P2"];
$p3=$JsonMap["P3"];
echo "Post-Example >>> P1:" . $p1 . " P2: " . $p2 . " P3: " . $p3;
$x++;
}
?>
file_get_contents("php://input") just gets all the data sent to the script (no matter which method). It can receive files, bytes, etc. Nice thing.
In the php script you can identify the same structure as the b4x code to create the JSON-List. Of course it can be done in other ways but I use these little code snippets in many of my b4x apps.
Back to the security benefits
Taking a look to the server log "access.log" again shows this:
B4X:
192.168.178.23 - - [11/Mar/2016:20:40:00 +0100] "POST //Serverfolder/PostExample.php
HTTP/1.1" 200 60 "-" "-"
As you can see, no data is shown (which is good). Of course an admin needs to see what is called and when (which is ok).
In the future I will use "POST" (PostString) methods as often as I can.
Although rules usually exist for good reasons, it’s good to know the logic behind them so they can be embraced fully. I, myself, hate rules that don’t have explanations and I hope that the above helps to justify the rules of GET vs POST.
Choosing between methods is a systematic process which should be part of second nature.