Hiding Database info from view source

EIREHotspur · 17-02-2015 6:03pm #1

I want a php page to be able to read values for a form to connect to a server but as this carrys username and password as well as another few sensitive fields....I don't want anyone lifting the code and being able to access my forms.

Anyone have a tutorial as to how best to achieve this?

I suppose it involves hashing password type fields in phpmyadmin or encrypting/decrypting on the page?

Just cannot google the right terms to get what I want.

thanks in advance.

Graham · 17-02-2015 9:04pm

Are you talking about the username and password used to connect to the database?

bpmurray · 17-02-2015 9:05pm

The PHP code isn't visible in the browser - all it sends is the markup.

EIREHotspur · 17-02-2015 10:15pm

bpmurray wrote: »

The PHP code isn't visible in the browser - all it sends is the markup.

Thanks for the answer bp and sorry....I made a bags of describing it.

I am building a php page with a form that draws values from a database.
The values are sensitive information and I need the markup itself to not be visable.

Reading about Data masking but that is out of the equation pricewise.
I am not that up on PHP to write functions etc

colm_c · 18-02-2015 2:03pm

EIREHotspur wrote: »

Thanks for the answer bp and sorry....I made a bags of describing it.

I am building a php page with a form that draws values from a database.
The values are sensitive information and I need the markup itself to not be visable.

Reading about Data masking but that is out of the equation pricewise.
I am not that up on PHP to write functions etc

Still don't understand what you want to do, if you want to render it so it's readable, but not copyable and/or people can't view source then I'm afraid you're out of luck as that's the nature of the internet/websites/php.

EIREHotspur wrote: »

I am not that up on PHP to write functions etc

This is a bit scary if you're dealing with sensitive data :eek:

Giblet · 18-02-2015 4:29pm

Do you mean you want a value to be ****** ?
You render what you want, if you don't want sensitive data to be found, don't render it in the first place!

EIREHotspur · 18-02-2015 5:38pm

Guys it is a Push Notification Page.
It sits behind a password protected login but it needs username, etc to connect to the server to send them.

I have not put up anything yet until I find a solution.....and there must be one because another guy has a service making $$$ and his source code cannot be seen....

Graham · 18-02-2015 6:41pm

EIREHotspur wrote: »

Guys it is a Push Notification Page.
It sits behind a password protected login but it needs username, etc to connect to the server to send them.

I have not put up anything yet until I find a solution.....and there must be one because another guy has a service making $$$ and his source code cannot be seen....

It sounds like you're confusing the php code with the html that's sent to the browser.

Try this in a file called something like test.php then view the source in a browser.

<!DOCTYPE html>
<html>
<body>

<?php
$username = "TopSecret";
$password = "NoPeeking";
$kangeroo = "skippy";
echo $kangeroo;
?>

</body>
</html>

EIREHotspur · 18-02-2015 6:59pm

Graham...thanks for that....That works and your right.....I am used to Dreamweaver and extensions....

How would I put this in a form which is how this works.

<input type="hidden" name="username" value="jim" />

I would want "jim" to be hidden obviously??

Graham · 18-02-2015 7:02pm

EIREHotspur wrote: »

Graham...thanks for that....That works and your right.....I am used to Dreamweaver and extensions....

How would I put this in a form which is how this works.

<input type="hidden" name="username" value="jim" />

I would want "jim" to be hidden obviously??

If you're submitting to a 3rd party, why would you want anything in a form?

bpmurray · 18-02-2015 7:53pm

If you're trying to associate data with a webpage yet not display it on the page, you can store it in the session. In your PHP code, you can use session_start to create a session, and session_destroy to delete it once the user has logged out. Then you can store stuff in session variables, and they're never sent to the web page but are available to your PHP code. Have a look at this for a simple explanation.

EIREHotspur · 18-02-2015 8:15pm

Thank guys

Graham...a Push Notification is a form.....like an email that targets an App based on appid, username and password for an account etc

Thanks for that BP...I will be studying that example carefully....

Graham · 18-02-2015 8:31pm

EIREHotspur wrote: »

Thank guys

Graham...a Push Notification is a form.....like an email that targets an App based on appid, username and password for an account etc

Thanks for that BP...I will be studying that example carefully....

This form you're talking about, would I be right in guessing that it's on a server/site belonging to someone else?

You're trying to write a script that will submit to this remote form to generate a push notification?

EIREHotspur · 18-02-2015 11:51pm

The form I send is on a page on my server.....the notification gets sent from his server....yes......so hiding it is tricky as it should be a server side script right?

Graham · 19-02-2015 12:47am

EIREHotspur wrote: »

The form I send is on a page on my server.....the notification gets sent from his server....yes......so hiding it is tricky as it should be a server side script right?

The form on your side should probably just contain the message fields (e.g. recipient and message) everything else (username/password) should be added by php after your form is submitted.

How are you transferring the message from your server to his server?

EIREHotspur · 19-02-2015 12:50am

You fill in the message like you would any form on the page and click submit....that passes to his server which passes it on to the App...confirmation is done his side....

Graham · 19-02-2015 1:01am

You should have the form submit the message to your server then use php to send the necessary fields to his server.

EIREHotspur · 19-02-2015 12:43pm

Graham wrote: »

You should have the form submit the message to your server then use php to send the necessary fields to his server.

Sessions is prob the only way to do it....

I started a new Session on page....on the same page I gave it the appid and then tried to use it in the form on the same page...

value="<?php echo $_SESSION["appid"] ;?>" />
shows the appid in view source and works

value="<?php echo $_SESSION["appid"] ;?>" />
does not show " and doesn't work....

Graham · 19-02-2015 1:53pm

If you're trying to populate a form with the credentials for the remote site, stop it before I send someone around with a bat.

Your form should only have the parts that change between each message (e.g. message and recipient), that form should submit to YOUR server. Your server then adds in the credentials (hidden from prying eyes) before it submits everything to the remote server.

EIREHotspur · 19-02-2015 2:20pm

We will have to get a few Bats and head over to America then to the people who supply the service.
You can view the details on their Push Notification Page too.....populated just like mine.
Granted it is behind each users control panel but it strikes me as suicidal to do it this way....I cannot afford to risk these details getting compromised down the line.

MY FORM sits on my server
I hit submit and it reads the details and sends that info to Their Server which pushs it out to the App.

Unless the Form sees each bit of Data it won't work...

Push Notifications are the HUGE selling point of Apps....I have to have a solution...

I was told to use a JavaScript solution
http://scriptasylum.com/tutorials/javascript_encoder.html

But this isn't javascript...

Graham · 19-02-2015 2:49pm

What are you pushing notifications to (iPhones, Android, Web)?

What push notification service are you using?

EIREHotspur · 19-02-2015 3:05pm

To both Android and iPhone

The Publishers own one.

Graham · 19-02-2015 3:39pm

Google this:

php http post to submit to remote form

Then try what I suggested earlier.

19-02-2015 3:47pm

You're not explaining it very well, but is the basic process like this?

User visits your site, fills in some information and submits
Your site contacts the 3rd party notification service with the information, using a pre-defined username and password
The 3rd party notification service pushes out the notifcation

If so, you never need to send the username/password to the user. The user submits their information to your server. Your server adds the username/password, and then sends the information on to the 3rd party.

If that's not the process, then explain it exactly, from start to finish

EIREHotspur · 19-02-2015 4:10pm

Thanks for that Graham....I wonder is this link from googling that close to what you mean??

http://www.html-form-guide.com/php-form/php-form-submit.html

28064212....that's it exactly yes....only of course they login to my site...through some more testing.....it doesn't even need username and password of the account to send the Notfication....but from what I see unless the form sees publisherid and appid it won't submit the form and sends you to a page on their server saying restricted...

The Company helpline told me to try and build a backend using their APIs....had a look at their PDF of that.......oh....JASUS......

19-02-2015 4:16pm

EIREHotspur wrote: »

28064212....that's it exactly yes....but from what I see unless the form sees publisherid and appid it won't submit the form and sends you to a page on their server saying restricted...

So what you're doing at the moment is using the form to submit directly to the 3rd party service?

That's not what you should be doing. The form should submit to your site, another php page where you take in the submitted values from the user, add the publisherid and appid, and your site makes the call to the 3rd party service

Graham · 19-02-2015 4:17pm

EIREHotspur wrote: »

Thanks for that Graham....I wonder is this link from googling that close to what you mean??

http://www.html-form-guide.com/php-form/php-form-submit.html

The Company helpline told me to try and build a backend using their APIs....had a look at their PDF of that.......oh....JASUS......

That's exactly the kind of thing I was talking about.

I wouldn't right off the API either, if it's a JSON interface then it's not massively more complicated the what you're reading about with cURL.

EIREHotspur · 19-02-2015 4:27pm

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

I have not found out that this guys server runs asp because the confirmation page after the notification is a .ashx.
I have never touched ASP...

I don't know at this point.....another frustrating day....

Can I have a tutorial, example or google term for that 28064212 ??

Graham · 19-02-2015 5:17pm

EIREHotspur wrote: »

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

I have not found out that this guys server runs asp because the confirmation page after the notification is a .ashx.
I have never touched ASP...

I don't know at this point.....another frustrating day....

Can I have a tutorial, example or google term for that 28064212 ??

It shouldn't make any difference what the server is running on the other side if all you're doing is submitting a form. It looks to me like 28064212s suggestion is the same as mine.

1) Create the message form on your server (e.g. message and recipient fields), this form should POST to 2)
hint -> http://www.w3schools.com/php/php_forms.asp

2) Create a new php script on your server to accept your form submission, catch each form field in its own variable.
hint -> http://www.w3schools.com/php/php_form_validation.asp

3) On script from 2) echo the variables so you can see if they are being captured properly

4) On script from 2) Add two new variables to hold the credentials for the remote server (I assume username and password).

5) Submit all the variables to the remote server
hint -> http://www.html-form-guide.com/php-f...rm-submit.html that you found earlier.

EIREHotspur · 19-02-2015 6:28pm

Thanks for that Graham......lots of stripping out code and no idea where to start with the variables add on.

Like you say....I suppose it is a case of a php page to process the form and then add variables to it to them auto send it on to the PN Server

http://webcheatsheet.com/php/form_processing.php

Graham · 19-02-2015 6:51pm

This is untested but it should give you a starting point:

test.php

<html>
<head>
    <title>Blahhhh</title>
</head>
<body>
<form name="myform" action="send.php" method="POST">
    Recipient: <input type="text" name="recipient" /><br />
    <textarea name="message" rows="10" cols="60">Enter your message here</textarea><br />
    <input type="submit" />
</form>
</body>
</head>
</html>

send.php

<?php
    $recipient = $_POST['Name'];
    $message = $_POST['message'];
    $username = "BOB"; // Don't put real credentials here until you have removed the echo statements
    $password = "NOPEEKING"; // Don't put real credentials here until you have removed the echo statements

// Remove the echo lines when you're happy each variable is getting the value it should
    echo $recipient."<br />";
    echo $message."<br />";
    echo $username."<br />";
    echo $password."<br />";

// Below this point you build the cURL submission to the remote server

?>

EIREHotspur · 19-02-2015 8:00pm

Thanks a lot for that Graham.....that does indeed pass on the form variables to the next page....I will just have to figure out the final part of sending that and the attached username and password fields to the server....I take it that it needs an auto submit script when this page loads?

Graham · 19-02-2015 8:15pm

Something like this:

http://webexplorar.com/php-remote-submit-a-form-and-get-result-using-curl/

EIREHotspur · 19-02-2015 11:53pm

So just to recap.....

My Form goes on test.php

My results plus $publisherid and $appid go on send.php

I place this underneath

// THIS ARRAY CONTAINS THE INPUT FIELDS DATA
$data = array(
'username' => 'username',
'appid' => 'appid'
);

// START THE CURL PROCESS
$ch = curl_init(); // initialize
curl_setopt($ch, CURLOPT_URL, 'http://mywebsite.com'); // form location url
curl_setopt($ch, CURLOPT_POST, 1); // form method
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
$html = curl_exec($ch); // execute the curl process

// DISPLAY FORM SUBMITTED RESULT
print_r($_POST);

What goes where 'http://mywebsite.com' is..../test.php or /send.php?

Graham · 20-02-2015 8:17am

EIREHotspur wrote: »

What goes where 'http://mywebsite.com' is..../test.php or /send.php?

test.php and send.php both go on your server, you submit to the URL of the remote server that sends the push notifications:

curl_setopt($ch, CURLOPT_URL, '[COLOR="Blue"]http://remoteserver.com/flip/flop/send.aspx[/COLOR]'); // form location url

Change the blue bit to the correct URL of the push servers form.

Your $data array needs to contain all the fields that the form on the push server is expecting. From your snippet it looks like you need to change the $password variable to $appid

EIREHotspur · 20-02-2015 1:23pm

echo $username."<br />";
echo $pass."<br />";
echo $message."<br />";
echo $publisherid."<br />";
echo $appid."<br />";

// Below this point you build the cURL submission to the remote server

// THIS ARRAY CONTAINS THE INPUT FIELDS DATA
$data = array(
'username' => 'username',
'pass' => 'pass',
'message' => 'message',
'publisherid' => 'publisherid',
'appid' => 'appid'
);

// START THE CURL PROCESS
$ch = curl_init(); // initialize
curl_setopt($ch, CURLOPT_URL, 'http://appserver.net/send.ashx'); // form location url
curl_setopt($ch, CURLOPT_POST, 1); // form method
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
$html = curl_exec($ch); // execute the curl process

// DISPLAY FORM SUBMITTED RESULT
print_r($_POST);

?>

It prints the right values from test.php but it doesn't autosubmit the PN to the server when it gets to the send.php

You are right though....I should dive into PHP and learn it when I get some time......you have spent long enough on this.....I do appreciate it...

amen · 20-02-2015 1:36pm

I am not a php person but if you are using Curl to just call a url like http://www.myurl.com then you are still passing the user credentials in an unencrypted format.

Also why are you not using the provided API ? The API is most likely support, follows industry standards, is secure etc.

lots of stripping out code and no idea where to start with the variables add on.

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

Are worrying statements. I might be wrong but it sounds like your finding code snippers and/or 3rd party addons and cobbling together a solution with no real understanding of how the parts work or if there are any security/logic holes.

Would it not server you (any customers you have ) to create a proper robust solution ?

EIREHotspur · 20-02-2015 1:42pm

Thanks for that Amen.

I was worried when I seen their page.......this company has deep pockets and they let this solution out (with a We do not recommend it disclaimer)....another guy though has a workaround that I hope he will get back to me on today.....a masking feature through javascript which will provide security behind the control panels I have built in.

It will be robust enough after that.

Thanks to Graham though....obviously he has a great knowledge of PHP.

I got to cook the Books on it when I get some time.

bpmurray · 20-02-2015 1:58pm

Do NOT do it from JavaScript - any "security" you have on a web page is illusory. You must do it from the server end, as in the curl example.

EIREHotspur · 20-02-2015 2:12pm

I can do Apps.....I cannot handcode PHP.....I do not have a great understanding of the complexities of it.

I can use Dreamweaver to connect to databases, use different extensions to provide logins, restrict access to pages based on levels, do queries etc etc.

I didn't expect this companies independent script for sending Push Notifications to be so OPEN.

I don't know enough to use APIs right now....so you do not recommend a Javascript Encoder then?

The only people who will be able to view source are the clients who pay me for an App......as for security in general Microsoft cannot stop all threats so there is no 100% solution...

Talisman · 20-02-2015 3:04pm

What Graham and 28064212 have described for you is the established standard practice for doing what you want.

If you are using curl to post the data from your server to that of the service provider then the data is being sent as clear text. If the service provider has an API then that's what you should be using.

If you posted a link to the API documentation, people would be better able to advise you.

bpmurray · 20-02-2015 5:16pm

OK, sounds like you're heading to the wrong place. I guess we can help you a bit. The code below is pulling together the stuff in the thread, but to continue we'd need to know what's returned by the API. My guess is that you'll have to do a check on the response and then forward the page to somewhere depending on its content.

<html><head><title>Simple example</title>
</head><body>
<?php
   // If it's a POST, the user is being added
   // If it's a GET, the page is being displayed
   // In other words, this code is executed only after the user clicks "Submit"
   if ($_SERVER['REQUEST_METHOD'] === 'POST') {
      $recipient = $_POST['Name'];
      $message = $_POST['message'];
      $username = "BOB";
      $password = "NOPEEKING";
      $publisherid = "sahdlkadhsaldhsaldha";
      $appid = "whatever123";

      // THIS ARRAY CONTAINS THE INPUT FIELDS DATA
      $data = array(
         'username' => $username,
         'pass' => $password,
         'message' => $message,
         'publisherid' =>  $publisherid,
         'appid' => $appid
      );

      // START THE CURL PROCESS
      $ch = curl_init(); // initialize
      curl_setopt($ch, CURLOPT_URL, 'http://appserver.net/send.ashx'); // form location url
      curl_setopt($ch, CURLOPT_POST, 1); // form method 
      curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // input fileds
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // get form result details
      $html = curl_exec($ch); // execute the curl process
      curl_close($ch); // Clean up
      
      // Now $html has the result we want
      // Its format depends on what the API returns - it might be a JSON blob, or it might be a web page or ....

      if ($html == "OK") {
         header("Location: http://www.yourwebsite.com/differentpage.php"); // Go to a different page
         exit();
      }
      // Staying on this page, so let's display the response on the page
      print_r($html);

      
   }
?>
   <!-- We want the form to submit as a POST to this current file -->
   <form name="myform" action="<?php $_SERVER["PHP_SELF"] ?>" method="POST">
       Recipient: <input type="text" name="recipient" /><br />
       <textarea name="message" rows="10" cols="60">Enter your message here</textarea><br />
       <input type="submit" />
   </form>
</body></head>
</html>

Please note - I haven't tested this so it's likely to have typos.

EIREHotspur · 20-02-2015 5:29pm

Thanks a lot for taking the trouble to do that BP....I will work through that tonight.

Talisman...I appreciate your comments too....straight up I have a great deal I got which makes me very competitive in the App Business here....I don't want to reveal the API document because that would give away whom it is I deal with.

I will give figuring this out a good go....I don't expect people to do this for me.....you have all spent too much time on it as it is and I appreciate it.

I hope I can return the favour with some things I do know about.

Thanks everyone.

Talisman · 20-02-2015 5:53pm

Honestly there is no secret sauce to push notifications. Provided you can write some code to post data in the required format you don't need to use a third party service provider.

Push notifications for Windows Phone
Google Cloud Messaging for Android
Provider Communication with Apple Push Notification Service

amen · 21-02-2015 7:16pm

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

Graham · 21-02-2015 7:28pm

amen wrote: »

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

Correct, but still a darn site better than having the username and password as a hidden field on a form which was the original intention.

21-02-2015 7:40pm

amen wrote: »

Sorry again but I am not a php head but from reading the php curl documentation all this is doing is sending the user name/password data from the server side to the clients service with the data in CLEAR text.

This is wrong and to me doesn't pass 1st principles or a basic sniff test (i.e. does the code smell correct)

That's a problem for the client's service. If the client's service accepts http requests (as opposed to https), there's nothing wrong with the OP using that ability.

The original question was about preventing the user of the OP's page from accessing the credentials of the client service. Using a server as an intermediary fulfils that

EIREHotspur · 21-02-2015 9:07pm

Talisman wrote: »

...Provided you can write some code to post data in the required format....

Therein is the problem....I can't...

I have however took everyone's points and postings here and passed them to the Service provider and told them that they should make this their number 1 priority....and they said they would.....

Thanks

21-02-2015 9:18pm

EIREHotspur wrote: »

Therein is the problem....I can't...

I have however took everyone's points and postings here and passed them to the Service provider and told them that they should make this their number 1 priority....and they said they would.....

...what? The way to "solve" the problem at hand is to provide an API. They already do that. I'm not sure what more you want them to do?

Hiding Database info from view source

Comments