CODEWITHSUNDEEP
phpiphonemysqlsecurity
Jeff
Jeff

Reputation: 2838

Preventing PHP scripts used in a iPhone app from being access via web browser

I'm trying to get some more info on a question I posed on another thread

Basically, I am using this method to pass parameters to a php script which returns values from a server:

NSString *urlstr = [[NSString alloc] initWithFormat:@"http://www.yourserver.com/yourphp.php?param=%d", paramVal];
NSURL *url = [[NSURL alloc] initWithString:urlstr];
NSString *ans = [NSString stringWithContentsOfURL:url];
// here in ans you'll have what the PHP side returned. Do whatever you want
[urlstr release];
[url release];

I then pose the question. How do you secure 'http://www.yourserver.com/yourphp.php' ? You can easily navigate to the same script (if you know the path) and pass in any parameters that you want. Am I missing something?

Upvotes: 0

Views: 531

Answers (4)

Ed Marty
Ed Marty

Reputation: 39700

Validate your input on the PHP side; If any input is valid, then generate a password and pass that along with the parameter to be validated against before taking any action.

They password should be as temporary as possible, ideally based on a nonce from the server salted with some data the application generates (i.e. it's not stored) and the server knows beforehand.

Upvotes: 0

TK.
TK.

Reputation: 417

You could use a MAC of the outgoing data to send along.

This avoids using a full blow Auth framework (and sessions for that matter).

This is however vulnerable to a repeat attack, but would certainly verify that the message originated from your application.

http://en.wikipedia.org/wiki/Message_authentication_code

Upvotes: 2

Me1000
Me1000

Reputation: 1758

$_SERVER['HTTP_USER_AGENT'];

Will show you accessors user agent, but user agents are certainly spoof-able, your only other option would be to lock down the param by checking for certain characters that you know will never be passed through it, perhaps add another (dummy) peram just for a little added security. Other than that there really is no other way to secure it down.

Upvotes: 2

Randolpho
Randolpho

Reputation: 56448

Nope, you're not missing anything. Well, other than an auth framework. :)

PHP isn't the best platform for securing a web application, but you might use Pear's Auth library.

Upvotes: 0

Related Questions