[Taero]

Hi, I am trying to create a web service in php... After finding a few examples on DreamInCode and other websites I did get a web service working which will return XML/JSON (see code below). But I am now trying to wrap my head around how I can keep everything contained within the web service and have it be secure.

Using $_GET variables seems very insecure...

I have created PHP/MYSQL login forms before using only $_POST variables, which is definitely a little more secure, and if this was just a web application I would probably use $_POST variables to authenticate and create a session for the user.

However I would like to start consuming this web service using android and ios devices, in addition to a website interface.

So how do I go about logging a user in securely using only a php webservice?

Although a link to an example or tutorial would be great (I've been searching for days), any advice is greatly appreciated!

<?php
/* require the user as the parameter */
//if(isset($_GET['user']) && intval($_GET['user'])) {

$oneToSearch = $_GET['dude'];
  /* soak in the passed variable or set our own */
  $format = strtolower($_GET['format']) == 'json' ? 'json' : 'xml'; //xml is the default

  /* connect to the db */
  $link = mysql_connect('mysql.fake.net','root','pass') or die('Cannot connect to the DB');
  mysql_select_db('crlogin',$link) or die('Cannot select the DB');

  /* grab the rows from the db */
  $query = "SELECT * FROM `users` WHERE `username` LIKE '$oneToSearch'";
  $result = mysql_query($query,$link) or die('Errant query:  '.$query);

  /* create one master array of the records */
  $tests = array();
  if(mysql_num_rows($result)) {
    while($test = mysql_fetch_assoc($result)) {
      $tests[] = array('test'=>$test);
    }
  //}

  /* output in necessary format */
  if($format == 'json') {
    header('Content-type: application/json');
    echo json_encode(array('tests'=>$tests));
  }
  else {
    header('Content-type: text/xml');
    echo '<tests>';
    foreach($tests as $index => $test) {
      if(is_array($test)) {
        foreach($test as $key => $value) {
          echo '<',$key,'>';
          if(is_array($value)) {
            foreach($value as $tag => $val) {
              echo '<',$tag,'>',htmlentities($val),'</',$tag,'>';
            }
          }
          echo '</',$key,'>';
        }
      }
    }
    echo '</tests>';
  }

  /* disconnect from the db */
  @mysql_close($link);
}
?>

[e_i_pi]

First suggestion I would have is start using PDOs. The mysql* functions are obselete, and should not be used due to security issues.

[Taero]

Thank you for your response e_i_pi, I am certainly going to take some time to understand PDO's in PHP.

[CTphpnwb]

You might also look into SSL certificates.

[Taero]

Okay, so after looking into PDO's I am still trying to figure out how I can keep my login more secure, and if possible, more portable (web service based?), as I would really like to start learning more about consuming php webservices from other languages/devices.

Here is an example I made with PDO's. I get a username/password from a $_POST variable on the login page. (By the way, when using PDO's is there any step required to filter out syntax from sql injection?) If my MAX(COUNT) is greater than 1 I know the user exists, and I can create a session, which is great if im accessing the webservice through a php file...

I believe this is fairly secure (please point out any potential flaws), but aside from using an SSL certificate is there a way to do it securely without relying on $_POST?

login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form action="webservice.php" method="post">
  <p>Username:
    <input name="user" type="text" />
  </p>
  <p>
    Password:
    <input name="password" type="password" />
  </p>
  <p>
    <input type="submit" name="btnSubmit" id="btnSubmit" value="Submit" />
  </p>
</form>
</body>
</html>

webservice.php

<?php
session_start();
try {
$dbh = new PDO("mysql:host=mysql.fake.net;dbname=crlogin",'username', 'password');
} catch (PDOException $e)
{
	echo $e->getMessage();
}
if ($_POST['user'] != null and $_POST['user'] != "" and $_POST['password'] != null and $_POST['password'] != "")
{
$username = $_POST['user'];
$password = $_POST['password'];
$sth = $dbh->query("SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'");
$result = $sth->fetchAll(PDO::FETCH_OBJ);
$sth1 = $dbh->query("SELECT * FROM tblItem");
$result1 = $sth1->fetchAll(PDO::FETCH_OBJ);
switch ($result[0]->{'COUNT(*)'})
{
case 0;
echo 'Invalid username or password';
break;

case 1;
$_SESSION['x'] = 'success';

print_r($result1);
echo "it worked!";
break;
	
}


//echo $result[0]->{'COUNT(*)'};
//print_r($result);
}

?>

[JackOfAllTrades]

Prepared Statements.

Also read the PHP Security link pinned at the top of the forum.

[e_i_pi]

To extrapolate on what JackOfAllTrades said, Prepared Statements are the key to proofing yourself against SQL injection. For example, your above code has this:

$sth = $dbh->query("SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'");  
$result = $sth->fetchAll(PDO::FETCH_OBJ);  

...which, with Prepared Statements, looks like this...

$stmt = $dbh->prepare("SELECT COUNT(*) FROM users WHERE username=:username and password=:password");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$stmt->fetchAll(PDO::FETCH_OBJ);

This post has been edited by e_i_pi: 28 June 2012 - 05:34 PM

[CTphpnwb]

Or it might look like this:

$stmt = $dbh->prepare("SELECT COUNT(*) FROM users WHERE username= ? and password= ?");
$stmt->execute(array($username, $password));
$stmt->fetchAll(PDO::FETCH_OBJ);

But it will never have variables for the data portions of the query.