tags:

views:

374

answers:

4
Q: 

Preventing PHP scripts used in a iPhone app from being access via web browser

Hi all, I'm trying to get some more info on a question I posed on another thread

Basically, I am using this method to pass parameters to a php script which returns values from a server:

NSString *urlstr = [[NSString alloc] initWithFormat:@"http://www.yourserver.com/yourphp.php?param=%d", paramVal];
NSURL *url = [[NSURL alloc] initWithString:urlstr];
NSString *ans = [NSString stringWithContentsOfURL:url];
// here in ans you'll have what the PHP side returned. Do whatever you want
[urlstr release];
[url release];

I then pose the question. How do you secure 'http://www.yourserver.com/yourphp.php' ? You can easily navigate to the same script (if you know the path) and pass in any parameters that you want. Am I missing something?

A: 

Nope, you're not missing anything. Well, other than an auth framework. :)

PHP isn't the best platform for securing a web application, but you might use Pear's Auth library.

Randolpho  2009-04-10 20:44:35
+2  A:  
$_SERVER['HTTP_USER_AGENT'];

Will show you accessors user agent, but user agents are certainly spoof-able, your only other option would be to lock down the param by checking for certain characters that you know will never be passed through it, perhaps add another (dummy) peram just for a little added security. Other than that there really is no other way to secure it down.

Me1000  2009-04-10 20:44:55
The user agent and dummy params won't help at all, since it's trivial to sniff these and use them in, say, a web browser. You want something like what TK replied.
Jesse Rusak  2009-04-11 13:02:21
only advanced users know how to fool user-agent, by adding this security layer you reduce the chances of undesired users to access ur php script
PERR0_HUNTER  2009-04-11 20:45:35
+2  A: 

You could use a MAC of the outgoing data to send along.

This avoids using a full blow Auth framework (and sessions for that matter).

This is however vulnerable to a repeat attack, but would certainly verify that the message originated from your application.

http://en.wikipedia.org/wiki/Message_authentication_code

TK  2009-04-10 21:09:49
A: 

Validate your input on the PHP side; If any input is valid, then generate a password and pass that along with the parameter to be validated against before taking any action.

They password should be as temporary as possible, ideally based on a nonce from the server salted with some data the application generates (i.e. it's not stored) and the server knows beforehand.

Ed Marty  2009-04-11 12:25:36

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL