is it secure to send username & password thru a link in php?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

is it secure to send username & password thru a link in php?

Post by markthien »

Hi guys,

I am thinking of using Clickatell api to send SMS like below:

http://www.clickatell.com/developers/php.php

However, their api accept username and password in the url. hence, is it secure to send like that? I mean is it vulnerable to hacker?

regards,
Mark
SeaJones
Forum Commoner
Posts: 48
Joined: Tue Jun 30, 2009 5:40 pm

Re: is it secure to send username & password thru a link in php?

Post by SeaJones »

Well, it depends exactly how it works. If you're sending a username and password as clear text then it's potentially sniffable by someone somewhere.

It's not sent on an HTTPS connection, which would be my first concern, but potentially the API may well check the referring URL too, I'd check that, although even it is spoofable.

At the very least, I'd make use a randomly generated password that you don't use anywhere else, and change it regularly. Then at least, the only real risk is that someone will sniff the password and send SMS messages using your account. If you have to get this going fast, then I'd do that, but at the same time I'd contact Clickatell and point out this flaw in their security.

Ideally, they could use some kind of dynamic pass-token system, using your password and the message to be sent or something crypted to an md5 key or more secure equivalent.

Code: Select all

 
<?php
 
$username="bobsusername";
$password="bobspassword";
$smsmessage_to_send = "Hi, this is a text message";
 
$keytosystem = md5($password.$smsmessage_to_send);
 
$url = "http://api.clicktell.com/?username=$username&passkey=$keytosystem";
 
//etc...
 
?>
 
That would be my ideal, but obviously you'd need to convince Clickatell to use a different system. That said, their current system is shockingly open to sniffers.
Post Reply