Hiding Database info from view source

EIREHotspur · 19-02-2015 9:00pm

Thanks a lot for that Graham.....that does indeed pass on the form variables to the next page....I will just have to figure out the final part of sending that and the attached username and password fields to the server....I take it that it needs an auto submit script when this page loads?

Graham · 19-02-2015 9:15pm

Something like this:

http://webexplorar.com/php-remote-submit-a-form-and-get-result-using-curl/

EIREHotspur · 20-02-2015 12:53am

So just to recap.....

My Form goes on test.php

My results plus $publisherid and $appid go on send.php

I place this underneath

// THIS ARRAY CONTAINS THE INPUT FIELDS DATA
$data = array(
'username' => 'username',
'appid' => 'appid'
);

// START THE CURL PROCESS
$ch = curl_init(); // initialize
curl_setopt($ch, CURLOPT_URL, 'http://mywebsite.com'); // form location url
curl_setopt($ch, CURLOPT_POST, 1); // form method
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
$html = curl_exec($ch); // execute the curl process

// DISPLAY FORM SUBMITTED RESULT
print_r($_POST);

What goes where 'http://mywebsite.com' is..../test.php or /send.php?

Graham · 20-02-2015 9:17am

EIREHotspur wrote: »

What goes where 'http://mywebsite.com' is..../test.php or /send.php?

test.php and send.php both go on your server, you submit to the URL of the remote server that sends the push notifications:

curl_setopt($ch, CURLOPT_URL, '[COLOR="Blue"]http://remoteserver.com/flip/flop/send.aspx[/COLOR]'); // form location url

Change the blue bit to the correct URL of the push servers form.

Your $data array needs to contain all the fields that the form on the push server is expecting. From your snippet it looks like you need to change the $password variable to $appid

EIREHotspur · 20-02-2015 2:23pm

echo $username." ";
echo $pass." ";
echo $message." ";
echo $publisherid." ";
echo $appid." ";

// Below this point you build the cURL submission to the remote server

// THIS ARRAY CONTAINS THE INPUT FIELDS DATA
$data = array(
'username' => 'username',
'pass' => 'pass',
'message' => 'message',
'publisherid' => 'publisherid',
'appid' => 'appid'
);

// START THE CURL PROCESS
$ch = curl_init(); // initialize
curl_setopt($ch, CURLOPT_URL, 'http://appserver.net/send.ashx'); // form location url
curl_setopt($ch, CURLOPT_POST, 1); // form method
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
$html = curl_exec($ch); // execute the curl process

// DISPLAY FORM SUBMITTED RESULT
print_r($_POST);

?>

It prints the right values from test.php but it doesn't autosubmit the PN to the server when it gets to the send.php

You are right though....I should dive into PHP and learn it when I get some time......you have spent long enough on this.....I do appreciate it...

amen · 20-02-2015 2:36pm

I am not a php person but if you are using Curl to just call a url like http://www.myurl.com then you are still passing the user credentials in an unencrypted format.

Also why are you not using the provided API ? The API is most likely support, follows industry standards, is secure etc.

lots of stripping out code and no idea where to start with the variables add on.

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

Are worrying statements. I might be wrong but it sounds like your finding code snippers and/or 3rd party addons and cobbling together a solution with no real understanding of how the parts work or if there are any security/logic holes.

Would it not server you (any customers you have ) to create a proper robust solution ?

EIREHotspur · 20-02-2015 2:42pm

Thanks for that Amen.

I was worried when I seen their page.......this company has deep pockets and they let this solution out (with a We do not recommend it disclaimer)....another guy though has a workaround that I hope he will get back to me on today.....a masking feature through javascript which will provide security behind the control panels I have built in.

It will be robust enough after that.

Thanks to Graham though....obviously he has a great knowledge of PHP.

I got to cook the Books on it when I get some time.

bpmurray · 20-02-2015 2:58pm

Do NOT do it from JavaScript - any "security" you have on a web page is illusory. You must do it from the server end, as in the curl example.

EIREHotspur · 20-02-2015 3:12pm

I can do Apps.....I cannot handcode PHP.....I do not have a great understanding of the complexities of it.

I can use Dreamweaver to connect to databases, use different extensions to provide logins, restrict access to pages based on levels, do queries etc etc.

I didn't expect this companies independent script for sending Push Notifications to be so OPEN.

I don't know enough to use APIs right now....so you do not recommend a Javascript Encoder then?

The only people who will be able to view source are the clients who pay me for an App......as for security in general Microsoft cannot stop all threats so there is no 100% solution...

Talisman · 20-02-2015 4:04pm

What Graham and 28064212 have described for you is the established standard practice for doing what you want.

If you are using curl to post the data from your server to that of the service provider then the data is being sent as clear text. If the service provider has an API then that's what you should be using.

If you posted a link to the API documentation, people would be better able to advise you.

bpmurray · 20-02-2015 6:16pm

OK, sounds like you're heading to the wrong place. I guess we can help you a bit. The code below is pulling together the stuff in the thread, but to continue we'd need to know what's returned by the API. My guess is that you'll have to do a check on the response and then forward the page to somewhere depending on its content.

<html><head><title>Simple example</title>
</head><body>
<?php
   // If it's a POST, the user is being added
   // If it's a GET, the page is being displayed
   // In other words, this code is executed only after the user clicks "Submit"
   if ($_SERVER['REQUEST_METHOD'] === 'POST') {
      $recipient = $_POST['Name'];
      $message = $_POST['message'];
      $username = "BOB";
      $password = "NOPEEKING";
      $publisherid = "sahdlkadhsaldhsaldha";
      $appid = "whatever123";

      // THIS ARRAY CONTAINS THE INPUT FIELDS DATA
      $data = array(
         'username' => $username,
         'pass' => $password,
         'message' => $message,
         'publisherid' =>  $publisherid,
         'appid' => $appid
      );

      // START THE CURL PROCESS
      $ch = curl_init(); // initialize
      curl_setopt($ch, CURLOPT_URL, 'http://appserver.net/send.ashx'); // form location url
      curl_setopt($ch, CURLOPT_POST, 1); // form method 
      curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
      $html = curl_exec($ch); // execute the curl process
      curl_close($ch); // Clean up
      
      // Now $html has the result we want
      // Its format depends on what the API returns - it might be a JSON blob, or it might be a web page or ....

      if ($html == "OK") {
         header("Location: http://www.yourwebsite.com/differentpage.php"); // Go to a different page
         exit();
      }
      // Staying on this page, so let's display the response on the page
      print_r($html);

      
   }
?>
   <!-- We want the form to submit as a POST to this current file -->
   <form name="myform" action="<?php $_SERVER["PHP_SELF"] ?>" method="POST">
       Recipient: <input type="text" name="recipient" /><br />
       <textarea name="message" rows="10" cols="60">Enter your message here</textarea><br />
       <input type="submit" />
   </form>
</body></head>
</html>

Please note - I haven't tested this so it's likely to have typos.

EIREHotspur · 20-02-2015 6:29pm

Thanks a lot for taking the trouble to do that BP....I will work through that tonight.

Talisman...I appreciate your comments too....straight up I have a great deal I got which makes me very competitive in the App Business here....I don't want to reveal the API document because that would give away whom it is I deal with.

I will give figuring this out a good go....I don't expect people to do this for me.....you have all spent too much time on it as it is and I appreciate it.

I hope I can return the favour with some things I do know about.

Thanks everyone.

Talisman · 20-02-2015 6:53pm

Honestly there is no secret sauce to push notifications. Provided you can write some code to post data in the required format you don't need to use a third party service provider.

Push notifications for Windows Phone
Google Cloud Messaging for Android
Provider Communication with Apple Push Notification Service

amen · 21-02-2015 8:16pm

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

Graham · 21-02-2015 8:28pm

amen wrote: »

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

Correct, but still a darn site better than having the username and password as a hidden field on a form which was the original intention.

21-02-2015 8:40pm

amen wrote: »

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

That's a problem for the client's service. If the client's service accepts http requests (as opposed to https), there's nothing wrong with the OP using that ability.

The original question was about preventing the user of the OP's page from accessing the credentials of the client service. Using a server as an intermediary fulfils that

EIREHotspur · 21-02-2015 10:07pm

Talisman wrote: »

...Provided you can write some code to post data in the required format....

Therein is the problem....I can't...

I have however took everyone's points and postings here and passed them to the Service provider and told them that they should make this their number 1 priority....and they said they would.....

Thanks

21-02-2015 10:18pm

EIREHotspur wrote: »

Therein is the problem....I can't...

I have however took everyone's points and postings here and passed them to the Service provider and told them that they should make this their number 1 priority....and they said they would.....

...what? The way to "solve" the problem at hand is to provide an API. They already do that. I'm not sure what more you want them to do?

Hiding Database info from view source

Comments