Elegant Solution

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
thomas49th
Forum Newbie
Posts: 11
Joined: Wed Aug 04, 2010 4:29 pm

Elegant Solution

Post by thomas49th »

Hi, say I have a website with php mysql ssh etc and I'm writing a program in C#. Say my C# software has a login form. How best do I connect the login form to the mysql database. I have coded a way such that I use a PHP script and I send a http request to the php script

ie:

http://www.mywebsite.com/login.php?user ... sword=pass

that then spits out accepted or rejected and my program reads the source and parses out the information

The problems:
Speed - Is this a fast method with lots of traffic.
Security - Your passing just a password in plain text. You could add some symettric encryption I suppose?
Pratice- Is this good programming pratice

If you had to develop a solution to the problem above, what would you do

Thanks
Thomas
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Elegant Solution

Post by superdezign »

No.. that is not a good solution, at all. C#, just like C++ before it, can connect to and communicate with your database. I'd suggest you pull out your handy dandy Google and start searching.
thomas49th
Forum Newbie
Posts: 11
Joined: Wed Aug 04, 2010 4:29 pm

Re: Elegant Solution

Post by thomas49th »

I've been trying :banghead: Most of what I find has the application being online with the MySQL server being on localhost. My problem is that this application is going to be distributed to random people with random IP address (so remote mySQL cannot be used). Other searches hit beskspoke server technologies and expensive communication assemblies, all which I cannot afford.

Perhaps I'm not searching hard enough. but am I right in thinking the application on the clients machine MUST communicate through a middle man such as php?

Can I do a https connection with php?

What would you do?

Thanks
Thomas
User avatar
ColonelSandersLite
Forum Commoner
Posts: 35
Joined: Sun May 09, 2010 1:32 am

Re: Elegant Solution

Post by ColonelSandersLite »

Just substitute localhost with the target's ip/hostname as specified by the functions documentation. Strictly speaking, localhost is just a synonym for 127.0.0.1 (loopback).
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Elegant Solution

Post by superdezign »

thomas49th wrote:What would you do?
Use any protocol other than HTTP.
thomas49th
Forum Newbie
Posts: 11
Joined: Wed Aug 04, 2010 4:29 pm

Re: Elegant Solution

Post by thomas49th »

Can I use https (SSL right?). Can I build up the website then apply SSL afterwards with little changes? does SSL simply just not work over the top of the website?? I have little idea how it is to be implemented. I am concerned that because I'm writing a piece of software which interfaces with php scripts. So for logining in I send http://mysite.com/login.php?username=tom&password=test
then the php scripts connects to the mysql database and responds with yes or no. My software needs to send the username and password in encrypted form so noone can eavesdrop. Is getting an SSL certificate the right way to go. For testing purposes I was thinking of getting a certificate from startsll.com before maybe purchasing a real one later on.

My website runs C Panel, where there is a section of SSL/TLS management.

Sorry I am new to all of this.

Thanks
Thomas
Cr00zng
Forum Newbie
Posts: 13
Joined: Mon Oct 05, 2009 7:15 pm

Re: Elegant Solution

Post by Cr00zng »

You can use HTTPS (SSL) for securing the UID and PWD in the link, as long as your web server has a valid SSL certificate. Your web server will pass the UID/PWD to the local database in plain text. The established SSL connection between the client and server will encrypt the URL "over the wire" as such:

https://127.0.0.1/128-bit_encrypted_text*

*-only the IP portion of the link is plain text, everything else is encrypted by the SSL connection to prevent eavesdropping. In the sample above, your mysite.com (that sounds funny :?) link resolved into the local host loop back IP. Your actual website has an IP somewhere in the public IP range.

Theoretically, you could generate an SSL certificate on the web server in itself that is OK for testing purposes; however, all of the browsers would complain about not being able to verify the certificate authority. You'll need an SSL certificate from a well known authority listed in in the browser's certificate list to prevent the browsers complaining.

You can create and test your website without SSL certificate; however, you'll need to change the HTML code (from HTTP to HTTPS) after the certificate is available.

Cr00zng
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: Elegant Solution

Post by Sephern »

If its an application which you're distributing to end users, which needs access to your database them presumably you know what kind of things it needs to do?
Implement a server in any language of choice (like C#) which constantly runs on your server. Then have the client connect to that server via sockets. Have it send commands for what you want to do. For example, logging in, you could send-
LOGIN::Username::Password;;

Then on the server, use the first word (LOGIN) to determine what you need to do, then split the rest of the string on the ::, make sure you have the correct amount of parameters and pass it to the login function. The login function on your server determines if the information is correct and responds to the client. Obviously hash your password on the client, rather than the server.
If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).

You can communicate with the server in almost any language, provided it support sockets.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Elegant Solution

Post by Mordred »

Sephern wrote:If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).
While I agree that this adds more security, you must be aware that a sufficiently motivated attacker can extract the hardcoded shared key from the client-side application and then be able to sniff and decrypt all of your traffic.
Post Reply