Page 1 of 1
Elegant Solution
Posted: Wed Aug 04, 2010 4:52 pm
by thomas49th
Hi, say I have a website with php mysql ssh etc and I'm writing a program in C#. Say my C# software has a login form. How best do I connect the login form to the mysql database. I have coded a way such that I use a PHP script and I send a http request to the php script
ie:
http://www.mywebsite.com/login.php?user ... sword=pass
that then spits out accepted or rejected and my program reads the source and parses out the information
The problems:
Speed - Is this a fast method with lots of traffic.
Security - Your passing just a password in plain text. You could add some symettric encryption I suppose?
Pratice- Is this good programming pratice
If you had to develop a solution to the problem above, what would you do
Thanks
Thomas
Re: Elegant Solution
Posted: Wed Aug 04, 2010 5:45 pm
by superdezign
No.. that is not a good solution, at all. C#, just like C++ before it, can connect to and communicate with your database. I'd suggest you pull out your handy dandy Google and start searching.
Re: Elegant Solution
Posted: Thu Aug 05, 2010 12:37 pm
by thomas49th
I've been trying

Most of what I find has the application being online with the MySQL server being on localhost. My problem is that this application is going to be distributed to random people with random IP address (so remote mySQL cannot be used). Other searches hit beskspoke server technologies and expensive communication assemblies, all which I cannot afford.
Perhaps I'm not searching hard enough. but am I right in thinking the application on the clients machine MUST communicate through a middle man such as php?
Can I do a https connection with php?
What would you do?
Thanks
Thomas
Re: Elegant Solution
Posted: Thu Aug 05, 2010 3:57 pm
by ColonelSandersLite
Just substitute localhost with the target's ip/hostname as specified by the functions documentation. Strictly speaking, localhost is just a synonym for 127.0.0.1 (loopback).
Re: Elegant Solution
Posted: Thu Aug 05, 2010 5:45 pm
by superdezign
thomas49th wrote:What would you do?
Use any protocol other than HTTP.
Re: Elegant Solution
Posted: Sat Aug 07, 2010 5:38 pm
by thomas49th
Can I use https (SSL right?). Can I build up the website then apply SSL afterwards with little changes? does SSL simply just not work over the top of the website?? I have little idea how it is to be implemented. I am concerned that because I'm writing a piece of software which interfaces with php scripts. So for logining in I send
http://mysite.com/login.php?username=tom&password=test
then the php scripts connects to the mysql database and responds with yes or no. My software needs to send the username and password in encrypted form so noone can eavesdrop. Is getting an SSL certificate the right way to go. For testing purposes I was thinking of getting a certificate from startsll.com before maybe purchasing a real one later on.
My website runs C Panel, where there is a section of SSL/TLS management.
Sorry I am new to all of this.
Thanks
Thomas
Re: Elegant Solution
Posted: Sun Aug 08, 2010 8:48 am
by Cr00zng
You can use HTTPS (SSL) for securing the UID and PWD in the link, as long as your web server has a valid SSL certificate. Your web server will pass the UID/PWD to the local database in plain text. The established SSL connection between the client and server will encrypt the URL "over the wire" as such:
https://127.0.0.1/128-bit_encrypted_text*
*-
only the IP portion of the link is plain text, everything else is encrypted by the SSL connection to prevent eavesdropping. In the sample above, your mysite.com (that sounds funny
) link resolved into the local host loop back IP. Your actual website has an IP somewhere in the public IP range.
Theoretically, you could generate an SSL certificate on the web server in itself that is OK for testing purposes; however, all of the browsers would complain about not being able to verify the certificate authority. You'll need an SSL certificate from a well known authority listed in in the browser's certificate list to prevent the browsers complaining.
You can create and test your website without SSL certificate; however, you'll need to change the HTML code (from HTTP to HTTPS) after the certificate is available.
Cr00zng
Re: Elegant Solution
Posted: Thu Aug 12, 2010 3:59 pm
by Sephern
If its an application which you're distributing to end users, which needs access to your database them presumably you know what kind of things it needs to do?
Implement a server in any language of choice (like C#) which constantly runs on your server. Then have the client connect to that server via sockets. Have it send commands for what you want to do. For example, logging in, you could send-
LOGIN::Username::Password;;
Then on the server, use the first word (LOGIN) to determine what you need to do, then split the rest of the string on the ::, make sure you have the correct amount of parameters and pass it to the login function. The login function on your server determines if the information is correct and responds to the client. Obviously hash your password on the client, rather than the server.
If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).
You can communicate with the server in almost any language, provided it support sockets.
Re: Elegant Solution
Posted: Fri Aug 13, 2010 1:43 am
by Mordred
Sephern wrote:If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).
While I agree that this adds more security, you must be aware that a sufficiently motivated attacker can extract the hardcoded shared key from the client-side application and then be able to sniff and decrypt all of your traffic.