Reputation: 595
Restrict access to php scripts on my server
I have several php scripts which connect to my sql server and retrieve some data. I call these php scripts from an android application. Now the issue is that I do not want the output of the scripts to be publicly seen when someone goes to that site on their computer.(Since they hold information about who has my application installed and other data). The only reason I have these scripts is for the internal logic of my application. I was wondering is there any easy way to keep my scripts accessible from the android phone and at the same time not display thier output when I connect to it using a browser from my computer. If not what other options do I have ?
Upvotes: 1
Views: 247
Answers (3)
Reputation: 12942
Having a single secret code as suggested is extremely insecure. Just pass the messages sent through a proxy and catch it and you have the code. What you are facing are basically the same issues that a creator of any publicly available API is facing.
Your best bet would be to have a unique API key for every installation that is used to sign all requests and responses. This does not HAVE to include a user manually putting it into the application. It could be that the first time the application communicates the server provides it with a key and maps that key to that device/installation.
Google for Authentication for REST API in PHP or something similar and you will most likely find something pointing you in the right direction.
Upvotes: 1
Reputation: 7435
You can send some ID (i.e. client ID)that is only known to the android application in the header and on the server send the actual response when this id is present, if the ID is not present then send some dummy response. Also use the HTTPS so that all the data you send would be encrypted.
Upvotes: 0
Reputation: 2212
If you are calling your PHP scripts at background in Android, you can pass a secret code as query data. Since it is happening at background, no one will see it. Your php checks if that code is sent. If not, it doesn't return anything. This is not a very secure system, though it can be implemented in this way.
Upvotes: 0
Related Questions
- Only allow script from server to access files
- Allow only PHP request from Android App
- how to restrict access to directory so I can run php scripts from browser
- How can I restrict / authorize access to PHP script?
- Restricting access to php file
- PHP only allow server to access a PHP file
- securing connection to php server
- Android web server securitiy
- How to only allow calls to PHP scripts from files on my server?
- PHP script protection