I am developing an app for Android which allow users making comments. The problem is: if someone discovered the PHP file of my server which receive a comment and save it in a database this person would have a total control to save unlimited comments. So... How could I avoid this?
I don't know so much of security but... Could it be possible solve it with hash, keys or anything? How?
You could use Oauth and send a token with each request here a example link Oauth2 or you can use a more simple method like:
User log in you app then you create in a table a record with is id and random string
Return this string to the user
When user do request add this string
On PHP verify thata string exists and the id is correct then insert the comment else nothing
Related
i am using httpUrlConnection in android to send a user form (name,pre name,email etc) to the server then validation is done at server side, after that form data are inserted to data base or an error returned to user. that is what my php page looks like in brief
<?php
$name = $_POST['name'];
$prename = $_POST['prename'];
$email = $_POST['email'];
if( isvalid($name)&&isvalid($prename)&&isvalid($email) ){
insertUser($name,$prename,$email);
echo 'successfully registered'
}else{
echo 'data invalid please correct';
}
?>
theoretically , now user cant insert malformed data like a name that contain numbers into my database.
even if a hacker could trick the host server into accepting such malformed input then mysql server will return an error that said could not insert those data into corresponding fields since every column has a predefined type in mysql.
now i considered to switch to firebase and i wonder if i can do the same verification before inserting the data into my realtime database without relying on client side verification. i mean if someone crack my app or bypass the verification on the client side(witch is easy for a hacker) and trick the app he could be able to insert some malformed data and users will start to see name that contain numbers or phone number that contain letter or have a password that have one letter and i dont want that to happen.
my question is: is there any way to verify the users inputs before inserting them to my firebase without a client side verification?
if not then what is the best way to get around that 'problem'?
Sorry for Lengthening,but i tried to be precise as mutch as possible.
To validate the data that can be written into the Firebase Realtime Database, you can use Firebase's server-side security rules. These are evaluated before every read/write to the database, and you can use them to ensure all data is valid, and all access is authorized.
For some examples, have a look at the Firebase documentation on validating the data with security rules.
I am new to android development .I have developed an android app from where one can insert some record via the app to the mysql database using php as server side programming.
No need to perform any kind of login operation for inserting the record via the app.
So now the problem is that if a user clicks on sumbit button multiple times(say x times) within a fraction of seconds, then same record will be inserted into the database multiple times(x times) ..obviously with different primary key id in each row.
So i need to prevent it by generating a unique token in oncreate() and pass the token along with the body post request and validate it at the server end using php.
The token must be unique for each post request via app to the server and also it has to be destroyed once it is used for a particular request.
So how to go for it? Please help..i need a reference code if anyone can provide..
A lightweight approach is to generate a token that can self-validate using an HMAC. On the server, you'd generate a token using say generate_token($secret) and send this to the client. The client has to include the token in it's response. Validate the token on the server with valid_token($secret, $token).
To prevent re-use of tokens, you have to store the spent tokens. For example, you could store used tokens in a db-record with a unique constraint before proceeding with the request. If inserting fails on the constraint, you know the token was re-used.
Example of token generation and validation:
function generate_token($secret) {
return build_token($secret, bin2hex(random_bytes(5)));
}
function build_token($secret, $id) {
return $id . '-' . hash_hmac('ripemd160', $id, $secret);
}
function valid_token($secret, $token) {
$parts = explode('-', $token);
return $token === build_token($secret, $parts[0]);
}
There are other ways. You could generate random ID and store them. Then delete them from the store once they're used. Then you don't need a secret. I prefer storing spent tokens because it's stateless up until the last step.
Edit: Note that to protect against CSRF the token has to include a user-specific ID. In PHP, session_id() can often be used for this. A very simplistic approach would concat session_id() to $secret as in generate_token($secret . session_id()) and valid_token($secret . session_id(), $token). I hope you get the idea.
I got a question about security for my simple REST API application.
I implemented check for security and on every attempt to read/update data from/in database (this is a simple HttpSession session= request.getSession(true); and check - if this is a new session or old and if it equals session id fro cookies).
But the thing is - even if this is a valid user and valid session - I got an URL which make a user to ignore other user:
http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2
I could change 2 users id (last 2 numbers) and send the same request to make other system user to ignore somebody else, for example: http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/3/4
How can I solve this problem?
I googled a lot (for example - RESTful Authentication and related articles, including security questions). But what is the easiest way to solve this problem? I quite a beginner, so I'll be happy to find the simpliest solutions.
Thank you!
Any authentication mechanism allows you to handle this, provided that users don't share the same credentials. Even with Basic AUTH, you'll be able to determine who authenticated.
If the logged in user is id=1, then he can perform http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2, but he can't ignore people for any other id. In fact, since you get the user id from the database, you don't even need the first parameter. It would be ignoreFriend/2, meaning "I want to ignore the person whose id I'm giving as a parameter".
is it possible to retrieve the username of a google account that i have succesfully authenticated using OAuth?
i have retrieved the users Access tokens but i am wondering if their is a API call i can make such has https://google.api/getUserName and pass the access tokens to that call and succesfully retrieve the users email/username?
In a normal OAuth web service, all you need is the secret and id access tokens to make calls to the web service but in google you also need the username too.
Any ideas?
Take a look at http://sites.google.com/site/oauthgoog/Home/emaildisplayscope . That should work for you.
The only way I figured so far is using the Spreadsheet API.
If you request the feed, that lists all documents
https://spreadsheets.google.com/feeds/spreadsheets/private/full?alt=json
There is a field with the username as well:
response.data.feed.title.$t
Unfortunately, this means prompting the user to grant access to his GDocs account, which may be confusing..
But I don't know of any API by Google to directly get the username.
Best way, the following feed was retrieved from the Contacts Data API:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=0
and get next fields from the feed:
response.data.feed.id
or
response.data.feed.author.name.$t
response.data.feed.author.email.$t
http://code.google.com/intl/ja/apis/accounts/docs/AuthForInstalledApps.html#Errors
This one is PHP, i think a slight modification in JAVA could make this workout
http://www.electrictoolbox.com/google-analytics-login-php-curl-username-password/
In my facebook app, I figured out how to get a session_key by fetching the user's offline_access permission. (Using Facebook Java API)
However, what I could not find out:
How can I create an IFacebookRestClient using this key at a later point of time? Of course, as long as the session of my own app lasts, the client is stored within it - but I have no idea how I could aquire one in another session from that key.
Maybe I am just missing a part of the api... Any help on this is very much appreciated :)
Well maybe it's just as simple as passing it to the constructor?
public FacebookJsonRestClient(String apiKey, String secret, String sessionKey)
Looks so....