Android Question Where to define password for security

tufanv

tufanv

Expert
Licensed User
Longtime User
Hello,

I am using mysql database connection in my app to retrieve info from server. As Erel described in tutorial it is open to any attack because query is directly being executed via the php file.

So i defined a password to send with the qury and php checks for the password then executes the command. My question is in my app, is there any place that defining the password is more safer than other places. For example, if i define the password as string under process_globals is it much safer all defining anywhere within the app is same for security reasons ?

TY
 
Sort by date Sort by votes
S

sorex

Expert
Licensed User
Longtime User
to be honnest I don't see the point of sending a password with your request. it's also not safe unless you pay for https certificates.
with sniffing tools you can grab your queries & password easily and replace it with a truncate table query.

instead you should send commands to the php and not just plain queries.

the command(s) will be used to execute the right query in the PHP file.
 
Upvote 0
tufanv

tufanv

Expert
Licensed User
Longtime User
Hello TY For the answer,

isnt it the same principle ? Anyone can sniff the commands and find what query it corresponds and than send the same command to server ?
 
Upvote 0
udg

udg

Expert
Licensed User
Longtime User
Anyone can sniff the commands and find what query it corresponds and than send the same command to server ?
Click to expand...

Yes, but any sniffer/attacker would be limited to queries prepared by you, so no "truncate" and other hazardous commands.
Have a look at this thread for a different approach about passwords and DB. Although the example pertains to B4J, the hash between password and "salt" code is of general use.

Umberto
 
Upvote 0
S

sorex

Expert
Licensed User
Longtime User
no because you use

http://site.com/getdata?op=getusers

you don't send any "select username from users order by username" over the net.

in the page you do a

switch($_GET["op"]){
case "getusers":$mysql="select username from users order by username";break;
}

getquery($mysql);

no way someone can inject stuff inthere.

and now you also have full flexibility so you can fill 1 json request full of data coming from multiple queries which is not really possible with the direct query method.

1 query/request with a lot of data is faster than 5 requests to get the same data in chuncks.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

aeric
  • Article
Share My Creation (PHP/MySQL/API) User Login App
4 5 6
Replies
108
Views
48K
aeric
aeric
Erel
  • Locked
  • Article
B4J Library [B4X] jRDC2 - B4J implementation of RDC (Remote Database Connector)
5 6 7
Replies
138
Views
144K
Erel
Erel
Mashiane
  • Question
Android Question Apps using MySQL: A Security Question
Replies
2
Views
1K
Erel
Erel
wonder
  • Question
Android Question Online DB Security (mySQL)
Replies
8
Views
2K
wonder
wonder
F
  • Question
Storing User Password/Security
Replies
2
Views
2K
FinerDesign
F
Top