Security of connection between iOS and mysql database

Question

i'm looking for a way to read/write a mysql database on a server from an iOS app. There are a lot of answers that suggest to make a php script on the server and echo the response as JSON. My question is: is it safe to do this? I think that everyone with a firewall can see where my app points and run the script by itself so he can read all my data, doesn't it?

Answer 1

Create a serverside script like an api (using any scripting/server side language) that returns exactly what your app needs. Thus you don't allow the client to dump everything and make sure your query params are sanitized (better to use some ORM mapping framework instead of concatenating the query string)

Answer 2

As a basic principle, yes using a php script to provide a RESTful interface is a good idea.

Yes people will be able to see the url you point to, so you need to consider safety properly. using SSL is a start, sending the data through POST, and perhaps including some sort of authentication to try and keep the number of unwanted connections down, I'm sure there are other options here as well. You can also consider using some sort of encryption, though thats a little outside my area of expertise

On top of that you should ALWAYS ensure that your inputs are sanitised, use the php script to ensure that only the queries you want to run on the DB are run. send the type of request & parameters to the php script, let it sanitise the inputs and build the query itself.