|Preventing PHP scripts used in a iPhone app from being access via web browser||#1|
I(m trying to get some more info on a question I posed on another thread
Basically, I am using this method to pass parameters to a php script which returns values from a server:
NSString *urlstr = [[NSString alloc] initWithFormat:@"http://www.yourserver.com/yourphp.php?param=%d", paramVal];
NSURL *url = [[NSURL alloc] initWithString:urlstr];
NSString *ans = [NSString stringWithContentsOfURL:url];
// here in ans you(ll have what the PHP side returned. Do whatever you want
I then pose the question. How do you secure (http://www.yourserver.com/yourphp.php( ? You can easily navigate to the same script (if you know the path) and pass in any parameters that you want. Am I missing something?
posted date: 2009-04-10 12:29:00
|Re: Preventing PHP scripts used in a iPhone app from being access via web browser||#3|
Nope, you(re not missing anything. Well, other than an auth framework. :)PHP isn(t the best platform for securing a web application, but you might use Pear(s Auth library.
posted date: 2009-04-10 12:44:00
|Re: Preventing PHP scripts used in a iPhone app from being access via web browser||#4|
You could use a MAC of the outgoing data to send along. This avoids using a full blow Auth framework (and sessions for that matter).This is however vulnerable to a repeat attack, but would certainly verify that the message originated from your application. http://en.wikipedia.org/wiki/Message_authentication_code
posted date: 2009-04-10 13:09:00
|Re: Preventing PHP scripts used in a iPhone app from being access via web browser||#5|
Validate your input on the PHP side; If any input is valid, then generate a password and pass that along with the parameter to be validated against before taking any action.They password should be as temporary as possible, ideally based on a nonce from the server salted with some data the application generates (i.e. it(s not stored) and the server knows beforehand.
posted date: 2009-04-11 04:25:00
|Re: Preventing PHP scripts used in a iPhone app from being access via web browser||#6|
The user agent and dummy params won't help at all, since it's trivial to sniff these and use them in, say, a web browser. You want something like what TK replied.
posted date: 2009-04-11 05:02:00
|Re: Preventing PHP scripts used in a iPhone app from being access via web browser||#7|
only advanced users know how to fool user-agent, by adding this security layer you reduce the chances of undesired users to access ur php script
posted date: 2009-04-11 12:45:00
|select page: « 1 »|