Page 1 of 1
best security for an url
Posted: Thu Apr 16, 2009 2:48 am
by highjo
hello guys!
i've developed a kind of http server(a single page) to process the information posted by an smsc (sms gateway) to that page.i'ts was under ssl but it's not secure enough.a part from the database username/password and php http_authentication what is the best way to secure that url.thanks for reading.any idea any articles, i'll be more that grateful if you can point me to the right way of realizing that.thanks
Re: best security for an url
Posted: Thu Apr 16, 2009 3:06 am
by Apollo
Can you give an example, exactly what are you trying to do (more) securely?
Besides relying on a username/password, encrypting the data you're sending probably won't hurt?
Re: best security for an url
Posted: Thu Apr 16, 2009 3:19 am
by highjo
thanks for the fast reply. a user would have to sms to a short code for example 2233 and the sms gateway will send (by post or get can't remember since i use $_REQUEST[])it to a page for example
Code: Select all
http://mydomain/smsc/processrequest.php?text=Registeredgatewaycode(space)Mysercidecode(space)PIN(space)OtherParams&sender=themobilephonenumber
this is the simplest one.so the text param is the content of the sms of the user it has for example a code from the smsc, a code that i assign to the service the user is posting to ,the pin code of the user and other params.the sender is the number of the handset that sent the sms.hope it's clear now.
Re: best security for an url
Posted: Thu Apr 16, 2009 6:04 am
by highjo
that's basically that.i'm wondering adding 2 other params username and password that will have to be store in the database.But that too seem so simple for me
Re: best security for an url
Posted: Thu Apr 16, 2009 6:21 pm
by kaisellgren
I am finding it hard to understand what you want. Are you afraid of forged requests? How about you enter a secret key code only known by the SMSC and your website? Then no one can forge requests without knowing this key. Furthermore, send HTTP requests only through a secure connection.
The site should be able to connect back to the SMSC and ask whether the request was valid. I'm not sure how you talk to it, so, you might need to improvise.
Re: best security for an url
Posted: Tue Apr 21, 2009 1:09 pm
by gregor171
I liked the key idea.
I was wondering, wouldn't it be better to POST this content instead of GET?
Re: best security for an url
Posted: Mon May 04, 2009 9:58 am
by temidayo
highjo wrote:thanks for the fast reply. a user would have to sms to a short code for example 2233 and the sms gateway will send (by post or get can't remember since i use $_REQUEST[])
You may want to take a look at this thread on using $_REQUEST:
viewtopic.php?f=34&t=97820
I know $_GET will be convenient for you and you don't want to rule out $_POST.
It is expected that you validate your user, so username and password will not be a bad idea.
Combination of username and password stored in your database may serve as the key you require
for the validation.
Re: best security for an url
Posted: Wed May 06, 2009 4:10 pm
by david64
Likewise not sure what you are wanting. There is something called mcrypt in PHP, which allows you to encrypt-decrypt stuff using a key. That might be what you want.
Re: best security for an url
Posted: Thu May 07, 2009 4:12 am
by Raimo Roopertti
Hi,
Through this site you can know about the best security for an url:
.windowsecurity.com/
.wown.com
.petri.co.il/
.visualwin.com