Elegant Solution
Moderator: General Moderators
-
thomas49th
- Forum Newbie
- Posts: 11
- Joined: Wed Aug 04, 2010 4:29 pm
Elegant Solution
Hi, say I have a website with php mysql ssh etc and I'm writing a program in C#. Say my C# software has a login form. How best do I connect the login form to the mysql database. I have coded a way such that I use a PHP script and I send a http request to the php script
ie:
http://www.mywebsite.com/login.php?user ... sword=pass
that then spits out accepted or rejected and my program reads the source and parses out the information
The problems:
Speed - Is this a fast method with lots of traffic.
Security - Your passing just a password in plain text. You could add some symettric encryption I suppose?
Pratice- Is this good programming pratice
If you had to develop a solution to the problem above, what would you do
Thanks
Thomas
ie:
http://www.mywebsite.com/login.php?user ... sword=pass
that then spits out accepted or rejected and my program reads the source and parses out the information
The problems:
Speed - Is this a fast method with lots of traffic.
Security - Your passing just a password in plain text. You could add some symettric encryption I suppose?
Pratice- Is this good programming pratice
If you had to develop a solution to the problem above, what would you do
Thanks
Thomas
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Elegant Solution
No.. that is not a good solution, at all. C#, just like C++ before it, can connect to and communicate with your database. I'd suggest you pull out your handy dandy Google and start searching.
-
thomas49th
- Forum Newbie
- Posts: 11
- Joined: Wed Aug 04, 2010 4:29 pm
Re: Elegant Solution
I've been trying
Most of what I find has the application being online with the MySQL server being on localhost. My problem is that this application is going to be distributed to random people with random IP address (so remote mySQL cannot be used). Other searches hit beskspoke server technologies and expensive communication assemblies, all which I cannot afford.
Perhaps I'm not searching hard enough. but am I right in thinking the application on the clients machine MUST communicate through a middle man such as php?
Can I do a https connection with php?
What would you do?
Thanks
Thomas
Perhaps I'm not searching hard enough. but am I right in thinking the application on the clients machine MUST communicate through a middle man such as php?
Can I do a https connection with php?
What would you do?
Thanks
Thomas
- ColonelSandersLite
- Forum Commoner
- Posts: 35
- Joined: Sun May 09, 2010 1:32 am
Re: Elegant Solution
Just substitute localhost with the target's ip/hostname as specified by the functions documentation. Strictly speaking, localhost is just a synonym for 127.0.0.1 (loopback).
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Elegant Solution
Use any protocol other than HTTP.thomas49th wrote:What would you do?
-
thomas49th
- Forum Newbie
- Posts: 11
- Joined: Wed Aug 04, 2010 4:29 pm
Re: Elegant Solution
Can I use https (SSL right?). Can I build up the website then apply SSL afterwards with little changes? does SSL simply just not work over the top of the website?? I have little idea how it is to be implemented. I am concerned that because I'm writing a piece of software which interfaces with php scripts. So for logining in I send http://mysite.com/login.php?username=tom&password=test
then the php scripts connects to the mysql database and responds with yes or no. My software needs to send the username and password in encrypted form so noone can eavesdrop. Is getting an SSL certificate the right way to go. For testing purposes I was thinking of getting a certificate from startsll.com before maybe purchasing a real one later on.
My website runs C Panel, where there is a section of SSL/TLS management.
Sorry I am new to all of this.
Thanks
Thomas
then the php scripts connects to the mysql database and responds with yes or no. My software needs to send the username and password in encrypted form so noone can eavesdrop. Is getting an SSL certificate the right way to go. For testing purposes I was thinking of getting a certificate from startsll.com before maybe purchasing a real one later on.
My website runs C Panel, where there is a section of SSL/TLS management.
Sorry I am new to all of this.
Thanks
Thomas
Re: Elegant Solution
You can use HTTPS (SSL) for securing the UID and PWD in the link, as long as your web server has a valid SSL certificate. Your web server will pass the UID/PWD to the local database in plain text. The established SSL connection between the client and server will encrypt the URL "over the wire" as such:
https://127.0.0.1/128-bit_encrypted_text*
*-only the IP portion of the link is plain text, everything else is encrypted by the SSL connection to prevent eavesdropping. In the sample above, your mysite.com (that sounds funny
) link resolved into the local host loop back IP. Your actual website has an IP somewhere in the public IP range.
Theoretically, you could generate an SSL certificate on the web server in itself that is OK for testing purposes; however, all of the browsers would complain about not being able to verify the certificate authority. You'll need an SSL certificate from a well known authority listed in in the browser's certificate list to prevent the browsers complaining.
You can create and test your website without SSL certificate; however, you'll need to change the HTML code (from HTTP to HTTPS) after the certificate is available.
Cr00zng
https://127.0.0.1/128-bit_encrypted_text*
*-only the IP portion of the link is plain text, everything else is encrypted by the SSL connection to prevent eavesdropping. In the sample above, your mysite.com (that sounds funny
Theoretically, you could generate an SSL certificate on the web server in itself that is OK for testing purposes; however, all of the browsers would complain about not being able to verify the certificate authority. You'll need an SSL certificate from a well known authority listed in in the browser's certificate list to prevent the browsers complaining.
You can create and test your website without SSL certificate; however, you'll need to change the HTML code (from HTTP to HTTPS) after the certificate is available.
Cr00zng
Re: Elegant Solution
If its an application which you're distributing to end users, which needs access to your database them presumably you know what kind of things it needs to do?
Implement a server in any language of choice (like C#) which constantly runs on your server. Then have the client connect to that server via sockets. Have it send commands for what you want to do. For example, logging in, you could send-
LOGIN::Username::Password;;
Then on the server, use the first word (LOGIN) to determine what you need to do, then split the rest of the string on the ::, make sure you have the correct amount of parameters and pass it to the login function. The login function on your server determines if the information is correct and responds to the client. Obviously hash your password on the client, rather than the server.
If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).
You can communicate with the server in almost any language, provided it support sockets.
Implement a server in any language of choice (like C#) which constantly runs on your server. Then have the client connect to that server via sockets. Have it send commands for what you want to do. For example, logging in, you could send-
LOGIN::Username::Password;;
Then on the server, use the first word (LOGIN) to determine what you need to do, then split the rest of the string on the ::, make sure you have the correct amount of parameters and pass it to the login function. The login function on your server determines if the information is correct and responds to the client. Obviously hash your password on the client, rather than the server.
If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).
You can communicate with the server in almost any language, provided it support sockets.
Re: Elegant Solution
While I agree that this adds more security, you must be aware that a sufficiently motivated attacker can extract the hardcoded shared key from the client-side application and then be able to sniff and decrypt all of your traffic.Sephern wrote:If you want more security, encrypt it on the client using an encryption algorithm with a pre-shared key (my preference is AES), then decrypt on the server (and vice versa).