securing a custom app
in [General]
|
Prev: Front End Dev seeking guidance
Next: Is there a good way to extract the <embed>/<object> content in HTML with/without closing tag?
From: David Mehler on 23 May 2010 00:40 Hello, I've got a custom app that interacts with a database. I want to use something stronger than .htaccess to protect it and ssl is not available as this is a shared host. There will be several user's accessing this app and updating the database through it. What i was thinking was giving each a unique username, password, and ID string, which would be somehow used to compute a hash and if that would match access could be granted. That's just a guess on my part, i'd appreciate any suggestions. Thanks. Dave.
From: Robert Cummings on 23 May 2010 01:21 David Mehler wrote: > Hello, > I've got a custom app that interacts with a database. I want to use > something stronger than .htaccess to protect it and ssl is not > available as this is a shared host. There will be several user's > accessing this app and updating the database through it. What i was > thinking was giving each a unique username, password, and ID string, > which would be somehow used to compute a hash and if that would match > access could be granted. That's just a guess on my part, i'd > appreciate any suggestions. > Thanks. > Dave. Since you're not going to go over SSL, then nothing you can do will be stronger since it all flies out in plaintext over the internet. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized.
From: Nilesh Govindarajan on 23 May 2010 01:51 On 05/23/2010 10:51 AM, Robert Cummings wrote: > David Mehler wrote: >> Hello, >> I've got a custom app that interacts with a database. I want to use >> something stronger than .htaccess to protect it and ssl is not >> available as this is a shared host. There will be several user's >> accessing this app and updating the database through it. What i was >> thinking was giving each a unique username, password, and ID string, >> which would be somehow used to compute a hash and if that would match >> access could be granted. That's just a guess on my part, i'd >> appreciate any suggestions. >> Thanks. >> Dave. > > Since you're not going to go over SSL, then nothing you can do will be > stronger since it all flies out in plaintext over the internet. > > Cheers, > Rob. Yeah I also agree with it. If you really want the things to be secure then use SSL. -- Nilesh Govindarajan (निलेश गोविंदराजन) Twitter: nileshgr Facebook: nilesh.gr Website: www.itech7.com
From: Adam Richardson on 23 May 2010 04:22 On Sun, May 23, 2010 at 12:40 AM, David Mehler <dave.mehler(a)gmail.com>wrote: > Hello, > I've got a custom app that interacts with a database. I want to use > something stronger than .htaccess to protect it and ssl is not > available as this is a shared host. There will be several user's > accessing this app and updating the database through it. What i was > thinking was giving each a unique username, password, and ID string, > which would be somehow used to compute a hash and if that would match > access could be granted. That's just a guess on my part, i'd > appreciate any suggestions. > Thanks. > Dave. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > If you really, really can't get to SSL, you could develop the client-side code to use a java applet as a proxy, and the applet could handle the encryption (I've only done that once and it wasn't worth the work in the long-run, I should have just switched hosts OR clients.) You could also pull off the same effect with a FLEX application, too. And, if you really, really wanted to, you could even develop an ajax application that encrypted the traffic before sending and decrypted any incoming traffic using a hash of a nonce provided by the server and the password of the user (the server-side PHP would perform the complimentary actions.) However, this would be quite a bit of work, and I'm hoping that you can talk someone into a hosting upgrade :) For reference, here's a javascript implementation of AES I've used in the past (there's a port of the corresponding PHP to use linked on the same page): http://www.movable-type.co.uk/scripts/aes.html But, again, I hope you can just switch to a host with SSL. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
From: David Mehler on 23 May 2010 07:52
Hello everyone, Thanks. I'm looking in to the ssl, I would like to use it, and it does seem much less work than the alternative. Thanks. Dave. On 5/23/10, Adam Richardson <simpleshot(a)gmail.com> wrote: > On Sun, May 23, 2010 at 12:40 AM, David Mehler <dave.mehler(a)gmail.com>wrote: > >> Hello, >> I've got a custom app that interacts with a database. I want to use >> something stronger than .htaccess to protect it and ssl is not >> available as this is a shared host. There will be several user's >> accessing this app and updating the database through it. What i was >> thinking was giving each a unique username, password, and ID string, >> which would be somehow used to compute a hash and if that would match >> access could be granted. That's just a guess on my part, i'd >> appreciate any suggestions. >> Thanks. >> Dave. >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > If you really, really can't get to SSL, you could develop the client-side > code to use a java applet as a proxy, and the applet could handle the > encryption (I've only done that once and it wasn't worth the work in the > long-run, I should have just switched hosts OR clients.) You could also > pull off the same effect with a FLEX application, too. > > And, if you really, really wanted to, you could even develop an ajax > application that encrypted the traffic before sending and decrypted any > incoming traffic using a hash of a nonce provided by the server and the > password of the user (the server-side PHP would perform the complimentary > actions.) However, this would be quite a bit of work, and I'm hoping that > you can talk someone into a hosting upgrade :) > > For reference, here's a javascript implementation of AES I've used in the > past (there's a port of the corresponding PHP to use linked on the same > page): > http://www.movable-type.co.uk/scripts/aes.html > > But, again, I hope you can just switch to a host with SSL. > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com > |