Jump to content

Recommended Posts

Hi,

My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php).

The bridge works fine and is used mainly for my IOT projects.

In the same web folder, is located the conn.php code containing the server's credentials.

The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned.

TIA

Link to comment
https://forums.phpfreaks.com/topic/311290-security-question/
Share on other sites

What is this "bridge"?

Your code is safe in that people cannot read it directly. What you have to worry is about what all your code does. Have some script that outputs HTML files? Make sure it can't be tricked into outputting PHP files...

Link to comment
https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580435
Share on other sites

<?php

include 'db_conn.php';

// Keep this API Key value to be compatible with the ESP32 code provided in the project page. If you change this value, the ESP32 sketch needs to match
$api_key_value = "myKey";
$api_key = $board = $ip = "";
//printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true));

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    //printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true));
    //var_dump($_POST)."<br>";
    
    $api_key = test_input($_POST["api_key"]);
    
    //printf('<pre>Contents of $api_key: %s</pre>', print_r($api_key, true));
    
    if($api_key == $api_key_value) {
        $ip = test_input($_POST["ip"]);
        $board = test_input($_POST["board"]);
        $uptime = test_input($_POST["uptime"]);
        $temp = test_input($_POST["temp"]);
        
        $conn = OpenCon();
        
        // Check connection
        if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
        }
        else {
            //echo "Connected!"."<br>";
            }

        $sql = "INSERT INTO washupips (board, uptime, temp, ip) VALUES ( '" . $board . "', '" . $uptime. "', '" . $temp . "','" . $ip . "')" ;
        
        //printf('<pre>Contents of $sql %s</pre>', print_r($sql, true));
        
        if ($conn->query($sql) === TRUE) {
            echo "New record created successfully";
        }
        else {
            echo "Error: " . $sql . "<br>" . $conn->error;
        }
    
        $conn->close();
    }
    else {
        echo "Wrong API Key provided.";
    }

}
else {
    echo "No data posted with HTTP POST.";
}

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Ok, I see the confusion, perhaps bridge is not the right definition in English.

Normally, to store data to a DB we access it via an IP, no matter where that location is. In my case and for security reasons, the IP is not accessible via the Internet, but it's accessible via a web server since both servers are in the same ISP's network.

So, I'm using a "bridge" to hop from the ISP's web server to the DB server as shown in the above code.

Link to comment
https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580438
Share on other sites

Ah. Judging by the description I thought you needed this script for you personally to run the occasional database query.

You need to think of this as an API instead of a "bridge".

Each IoT device has a key to identify it. Your script takes the key it receives and verifies it is valid and good for whatever action. Only then does it insert data.

Make sure all of this is over SSL. It needs to be. You also need to switch to prepared statements instead of using that test_input thing you have.

Link to comment
https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580447
Share on other sites

By the way, your test_input function is a block of code from the 90's that needs to be taken behind the barn and shot and buried forever. Surprised to still see that floating around. Additionally, NEVER EVER put variables in your query. You need to use prepared statements

Link to comment
https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580450
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.