Android Tutorial HttpUtils2/PHP: GET vs POST methods

Of course there is more about to secure data transmissions between clients & servers. Please take this tutorial to think about to secure your communication as good as you can.


With HttpUtils2 you can make requests to servers running PHP (Apache) or other components. This tutorial is about

- the common methods "GET" and "POST" in PHP
- the corresponding methods in HttpUtils2
- where the difference is
- security

Some contents were taken from http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post

When I first started to do an app with B4A I took a look at some examples here in the forum. What I needed was to send a bunch of parameters to a php script on my server. Very fast I cam across HttpUtils with the method "download2" which escapes all parameters (like slashes) which is very comfortable.

B4X:
Dim GetExample As HttpJob
GetExample.Initialize("GetExample", Me)
GetExample.Download2(servername & "/Serverfolder/GetExample.php",  _
                 Array As String("P1", "This is P1","P2", "This is P2", "P3", "This is P3"))

It just sends a GET-request with an array of parameters to the given server, path and the called script. Inside the script the parameters P1-P3 (array) can be retrieved like this:

B4X:
<?php

$p1=$_GET["P1"];
$p2=$_GET["P2"];
$p3=$_GET["P3"];

echo "Get-Example >>> P1:" . $p1 . " P2: " . $p2 . " P3: " . $p3;


?>

"$_GET" is a PHP command which gets the data from the associated parameter (= value of "P1")

Nice & very easy.

Taking a look to the server log "access.log" (Apache logs any request here) showed my request, to:

B4X:
192.168.178.23 - - [11/Mar/2016:20:40:00 +0100]
"GET //Serverfolder/GetExample.php?P1=This+is+P1&P2=This+is+P2&P3=This+is+P3
HTTP/1.1" 200 59 "-" "-"

Even if it's encrypted, one could copy it and use it again (bad: user login without further checks)

B4X:
192.168.178.23 - - [10/Mar/2016:22:18:33 +0100] "GET /enctrans/enctranssingle.php?Enc%3dLufIZSVR94zL5oQnHJlneWSOdnCrLFDdrv3vqHiL0lRTftogdIuf%2bamKX3%2f4C2xKXOsLvf%2bgMg7lAT20Q1G9E%2f%2f6W2Nn9rOwK%2biwQThTPGbbyPdUzDNaHaNywA03nusFjcBp6HZL5E612JBIat54%2fr2JxZwVnIyyua4HufVVrFcjHEON09U%2beLYOGQYwSGQPNkas%2b%2fFDaXFEc2ZR2Vj0oSpFLDe1rlggnxMbdD%2f%2bYHDPULq009A6yPve%2bmOUJSt8OaiRI%2f84YpWiE%2fQYRDG6oobwiaFbpIAh6H%2faFuCpGkaAcDNHzYtbyzHRwmzY4pyE2Hrc3qz03vO5f5J8zDgbwaC2zKlaKJGDIJZWaj3zmHdOoqerTfkRZhcHlnfUPJ60cfpt2kgVauSX8mrKJvBM2idaKxvm3S3YyXD1S5D5YOUhP%2b5u3wZI%2bNxJhWImfUk1RpCt1rmSPIpGNm5Nzox1On1Duxz5q58K7PxGwapiGSUMoZjWcGxmdGH0E1Jeul9O8RoSOTlDI2zwXWr1BHzapPMeNJAtp2OZj9gBSj

By the way: Typing "servername/Serverfolder/GetExample.php?P1=This+is+P1&P2=This+is+P2&P3=This+is+P3" in your favourite browser would do the same thing.

So this made me wonder a bit:

- Get requests can be seen at least by server admins
- the structure is obviously (the request can be modified or called n-times again with other data)
- existing server folders and scriptnames are public (security!)

Even worse:

  • GET requests can be cached
  • GET requests can remain in the browser history
  • GET requests can be bookmarked
  • GET requests can be distributed & shared
  • GET requests can be hacked
  • GET requests are limited (length)

So what about usig "POST" instead without using the PHP's post method? Grab all the data and use it instead of getting single fields.

B4X:
Dim PostExample As HttpJob
PostExample.Initialize("PostExample", Me)
PostExample.PostString(servername & "/Serverfolder/PostExample.php",SimpleString)

Hm. Not THAT comfortable. Before we had an array which could be expanded very easy. Now it's just a simple string.

One single string sounds good on the other side. It's just a simple string which can be encoded, encrypted and all the things we may want to do. It's much easier to do it with a simple string.

However. As I use a lot of JSON I then just created some similar (I'm lazy and I wanted the comfort of an easy expandable paramater list AND s simple string):

B4X:
Dim JsonList As List 
Dim JsonMap As Map
   
JsonList.Initialize
JsonMap.Initialize
   
JsonMap.put("P1", "This is P1")
JsonMap.put("P2", "This is P3")
JsonMap.put("P3", "This is P3")
   
JsonList.add(JsonMap)
  
Dim JSONGenerator As JSONGenerator
JSONGenerator.Initialize2(JsonList)
  
Dim JSONstring As String
JSONstring = JSONGenerator.ToString

I just put all the parameters in a (array) of maps and all of them in a List which is converted to a JSON-string to use it with "PostString".

The PHP-side:

B4X:
$JsonString = file_get_contents("php://input");

$JsonList = array();
$JsonMap = array();
$JsonList=json_decode($JsonString, true);
$x = 0;

while($x < count($JsonList)) {
    $JsonMap=$JsonList[$x];
   
    $p1=$JsonMap["P1"];
    $p2=$JsonMap["P2"];
    $p3=$JsonMap["P3"];

    echo "Post-Example >>> P1:" . $p1 . " P2: " . $p2 . " P3: " . $p3;
    $x++;
}


?>

file_get_contents("php://input") just gets all the data sent to the script (no matter which method). It can receive files, bytes, etc. Nice thing.

In the php script you can identify the same structure as the b4x code to create the JSON-List. Of course it can be done in other ways but I use these little code snippets in many of my b4x apps.

Back to the security benefits

Taking a look to the server log "access.log" again shows this:

B4X:
192.168.178.23 - - [11/Mar/2016:20:40:00 +0100] "POST //Serverfolder/PostExample.php
HTTP/1.1" 200 60 "-" "-"

As you can see, no data is shown (which is good). Of course an admin needs to see what is called and when (which is ok).

In the future I will use "POST" (PostString) methods as often as I can.

 

KMatle

Expert
Licensed User
Longtime User
hi,
How can I transfer a recordset to read from sqlite to sql server?
Thanks

Just read the values and start a http Job which calls a php which inserts the values. Multiple rows: Create a list with maps and send it to the script which inserts the rows.
 

M.LAZ

Active Member
Licensed User
Longtime User
thank you @KMatle you a great like your tutorial ,, we need more tutorial from Experts ..

i modified this snippet code , i used a single quatation in the php function file_get_contents('php://input')

$JsonString = file_get_contents('php://input');
thanks
 
Cookies are required to use this site. You must accept them to continue using the site. Learn more…