Reputation: 14835
What is the best way to go about protecting a user's password going from iPhone app -> PHP -> MySQL?
I need to send the following up to my server to be stored via POST:
&username=xxxx&password=zzzzz
Should I encrypt this before sending? Or just send it via HTTPS (SSL) to my PHP page?
On the PHP page should I then do the encryption to save it to the MySQL server?
Need a little help here as to what is the best iPhone app -> PHP -> MySQL way to do this.
Upvotes: 1
Views: 629
Answers (4)
Reputation: 16355
HTTPS should be sufficient to protect the data en-route, as others have said. On the server side, you should not store the password in any reversible form (unless for some reason you need the plaintext, such as to pass it to a third party). I would recommend using a salted cryptographic hash.
Essentially, what you do is this: when the user sets a password, you generate a new random string (the salt) and then store the password as the result of hash(salt + password). This hash should be a strong cryptographic function (nowadays I would recommend SHA-256 or similar). In this way, the user's plaintext password cannot be retrieved, even if your server is compromised.
When the user submits their password, you can simply compute hash(salt + password) again and check that the result matches what is stored in the database.
Upvotes: 0
Reputation: 1552
Sending it over HTTPS should be fine for communicating between the iPhone app and PHP. You should hash the password, using a good password hashing algorithm, as soon as possible.
If you're not familiar with good password hashing practices, you might find this useful: How do you use bcrypt for hashing passwords in PHP?
Upvotes: 1
Reputation: 10864
HTTPS/SSL should be enough if you simply want to protect your data during transmission. Obviously you may also need to store encrypted values in your MySQL db. In this case you should also encrypt your credentials before doing your sql query.
Upvotes: 0
Reputation: 2976
You can encrypt password using md5() or make your own encryption/decryption function.
Here is the example
From client end
$password = md5('password');
To check with database
//security check
$user = mysql_real_escape_string($_POST['username']);
mysql_query("SELECT user_name, email FROM users WHERE username='".$user."' AND MD5(password)='".$password."'");
Upvotes: 0
Related Questions
- How to Secure Sql Password
- Access database securely from iOS App
- Security of connection between iOS and mysql database
- How do I only allow access to my MySQL database from my iOS app? (Using webapp as gateway to db)
- Secure iOS to online database connection
- iOS + PHP Login Best Practice
- How to secure php and mySql access to prevent f?
- XCode, Authentication and NSUserDefaults
- Best way to manage password that must be stored on sqlite iPhone App
- encrypt data sent to php web service