Security Concerns when sending request to php

[adamscott421]

I am making an app that sends an NSURLRequest to my own webserver to a php file that queries a database. The user will be allowed to insert items into the database so i obviously need a cleaning function for that. But my question is are there any other security concerns i need to worry about, for instance can i hard code my username and password when connecting to mysql?

[smasher]

Quote:

Originally Posted by adamscott421

I am making an app that sends an NSURLRequest to my own webserver to a php file that queries a database. The user will be allowed to insert items into the database so i obviously need a cleaning function for that. But my question is are there any other security concerns i need to worry about, for instance can i hard code my username and password when connecting to mysql?

Use https if you don't want people to snoop on the contents of your request. Even then, remember that the URL is NOT encrypted, so anyone monitoring the network between the phone and your server could conceivably see the URL (NAT servers, web proxies, etc.) So be sure to put anything sensitive in a POST, not in a GET.

That done, I don't think there's any reason to put your database password in the iPhone app - it should be in the PHP, since the PHP accesses the database.

Lastly, you need to make sure that no one can construct a http query that would harm your data. Perhaps the app should request a user key (NOT easily guessable, NOT a sequential number!) from the server on first run, and include that user key in every request? Then the server should only act on requests with a valid user key. At this point, even if someone builds a custom https request, they need to guess a valid user key to affect any data.

PS - just for noobs - you should not have any SQL or real field and table names in your https request; just action names that the server will respond to. If you have "select from" or "delete from" anywhere in your request, or something like "action=set&table=hiscores&field=name" , then you're doing it wrong.

[adamscott421]

Thanks smasher that helped but just to clarify I am hard coding the username and password into the php file. Is that ok? the objective-c code basically just sends https requests and gets back json. so the vulnerabilites are really just in my php code not in my objective-c.

[eatenbyrats]

Sanity check all the data on the server end.

Assume all the data you get is full of injection attacks, shell escapes, and cross-scripting.

PEAR has quite a few useful classes already pre-rolled, and there are countless good references on the web on the topic. Always use a database extraction layer.

Hard coding your login into the script itself will make it hard to maintain and make it insecure:
- Every time you do a regular password change, you'll have to have a monkey edit the script.
- A simple permissions change error would be enough to expose your login information. Put that kind of information in an external file outside the web server's scope instead.

http://devzone.zend.com/tag/Security_Tips

[adamscott421]

Thanks but about the user name and password. The user doesn't have one and I'm not sending anything in POST variables. I'm talking about hard coding my username and password into the mysql_connect function in the php script. Is that OK?

[smasher]

Quote:

Originally Posted by adamscott421

Thanks but about the user name and password. The user doesn't have one and I'm not sending anything in POST variables. I'm talking about hard coding my username and password into the mysql_connect function in the php script. Is that OK?

Yes, that's the right thing to do - keep it on the web server. No reason to put it in the app anyway, since the app always works through the script.