7 Replies - 10359 Views - Last Post: 28 June 2012 - 06:58 PM Rate Topic: -----

#1 Taero  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 03-May 12

Web Service & Secure User Login

Posted 26 June 2012 - 02:16 PM

Hi, I am trying to create a web service in php... After finding a few examples on DreamInCode and other websites I did get a web service working which will return XML/JSON (see code below). But I am now trying to wrap my head around how I can keep everything contained within the web service and have it be secure.

Using $_GET variables seems very insecure...

I have created PHP/MYSQL login forms before using only $_POST variables, which is definitely a little more secure, and if this was just a web application I would probably use $_POST variables to authenticate and create a session for the user.

However I would like to start consuming this web service using android and ios devices, in addition to a website interface.

So how do I go about logging a user in securely using only a php webservice?

Although a link to an example or tutorial would be great (I've been searching for days), any advice is greatly appreciated!

<?php
/* require the user as the parameter */
//if(isset($_GET['user']) && intval($_GET['user'])) {

$oneToSearch = $_GET['dude'];
  /* soak in the passed variable or set our own */
  $format = strtolower($_GET['format']) == 'json' ? 'json' : 'xml'; //xml is the default

  /* connect to the db */
  $link = mysql_connect('mysql.fake.net','root','pass') or die('Cannot connect to the DB');
  mysql_select_db('crlogin',$link) or die('Cannot select the DB');

  /* grab the rows from the db */
  $query = "SELECT * FROM `users` WHERE `username` LIKE '$oneToSearch'";
  $result = mysql_query($query,$link) or die('Errant query:  '.$query);

  /* create one master array of the records */
  $tests = array();
  if(mysql_num_rows($result)) {
    while($test = mysql_fetch_assoc($result)) {
      $tests[] = array('test'=>$test);
    }
  //}

  /* output in necessary format */
  if($format == 'json') {
    header('Content-type: application/json');
    echo json_encode(array('tests'=>$tests));
  }
  else {
    header('Content-type: text/xml');
    echo '<tests>';
    foreach($tests as $index => $test) {
      if(is_array($test)) {
        foreach($test as $key => $value) {
          echo '<',$key,'>';
          if(is_array($value)) {
            foreach($value as $tag => $val) {
              echo '<',$tag,'>',htmlentities($val),'</',$tag,'>';
            }
          }
          echo '</',$key,'>';
        }
      }
    }
    echo '</tests>';
  }

  /* disconnect from the db */
  @mysql_close($link);
}
?>



Is This A Good Question/Topic? 0
  • +

Replies To: Web Service & Secure User Login

#2 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 800
  • View blog
  • Posts: 1,688
  • Joined: 30-January 09

Re: Web Service & Secure User Login

Posted 26 June 2012 - 03:56 PM

First suggestion I would have is start using PDOs. The mysql* functions are obselete, and should not be used due to security issues.
Was This Post Helpful? 0
  • +
  • -

#3 Taero  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 03-May 12

Re: Web Service & Secure User Login

Posted 26 June 2012 - 04:25 PM

Thank you for your response e_i_pi, I am certainly going to take some time to understand PDO's in PHP.
Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3075
  • Posts: 10,783
  • Joined: 08-August 08

Re: Web Service & Secure User Login

Posted 27 June 2012 - 06:34 AM

You might also look into SSL certificates.
Was This Post Helpful? 0
  • +
  • -

#5 Taero  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 03-May 12

Re: Web Service & Secure User Login

Posted 28 June 2012 - 03:48 PM

Okay, so after looking into PDO's I am still trying to figure out how I can keep my login more secure, and if possible, more portable (web service based?), as I would really like to start learning more about consuming php webservices from other languages/devices.

Here is an example I made with PDO's. I get a username/password from a $_POST variable on the login page. (By the way, when using PDO's is there any step required to filter out syntax from sql injection?) If my MAX(COUNT) is greater than 1 I know the user exists, and I can create a session, which is great if im accessing the webservice through a php file...

I believe this is fairly secure (please point out any potential flaws), but aside from using an SSL certificate is there a way to do it securely without relying on $_POST?

login.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form action="webservice.php" method="post">
  <p>Username:
    <input name="user" type="text" />
  </p>
  <p>
    Password:
    <input name="password" type="password" />
  </p>
  <p>
    <input type="submit" name="btnSubmit" id="btnSubmit" value="Submit" />
  </p>
</form>
</body>
</html>



webservice.php
<?php
session_start();
try {
$dbh = new PDO("mysql:host=mysql.fake.net;dbname=crlogin",'username', 'password');
} catch (PDOException $e)
{
	echo $e->getMessage();
}
if ($_POST['user'] != null and $_POST['user'] != "" and $_POST['password'] != null and $_POST['password'] != "")
{
$username = $_POST['user'];
$password = $_POST['password'];
$sth = $dbh->query("SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'");
$result = $sth->fetchAll(PDO::FETCH_OBJ);
$sth1 = $dbh->query("SELECT * FROM tblItem");
$result1 = $sth1->fetchAll(PDO::FETCH_OBJ);
switch ($result[0]->{'COUNT(*)'})
{
case 0;
echo 'Invalid username or password';
break;

case 1;
$_SESSION['x'] = 'success';

print_r($result1);
echo "it worked!";
break;
	
}


//echo $result[0]->{'COUNT(*)'};
//print_r($result);
}

?>


Was This Post Helpful? 0
  • +
  • -

#6 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6092
  • View blog
  • Posts: 23,612
  • Joined: 23-August 08

Re: Web Service & Secure User Login

Posted 28 June 2012 - 03:58 PM

Prepared Statements.

Also read the PHP Security link pinned at the top of the forum.
Was This Post Helpful? 0
  • +
  • -

#7 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 800
  • View blog
  • Posts: 1,688
  • Joined: 30-January 09

Re: Web Service & Secure User Login

Posted 28 June 2012 - 05:34 PM

To extrapolate on what JackOfAllTrades said, Prepared Statements are the key to proofing yourself against SQL injection. For example, your above code has this:
$sth = $dbh->query("SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'");  
$result = $sth->fetchAll(PDO::FETCH_OBJ);  


...which, with Prepared Statements, looks like this...
$stmt = $dbh->prepare("SELECT COUNT(*) FROM users WHERE username=:username and password=:password");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$stmt->fetchAll(PDO::FETCH_OBJ);


This post has been edited by e_i_pi: 28 June 2012 - 05:34 PM

Was This Post Helpful? 3
  • +
  • -

#8 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3075
  • Posts: 10,783
  • Joined: 08-August 08

Re: Web Service & Secure User Login

Posted 28 June 2012 - 06:58 PM

Or it might look like this:
$stmt = $dbh->prepare("SELECT COUNT(*) FROM users WHERE username= ? and password= ?");
$stmt->execute(array($username, $password));
$stmt->fetchAll(PDO::FETCH_OBJ);


But it will never have variables for the data portions of the query.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1