php - Good way to secure GET request?
821
I am building a sample server so that I can learn PHP and was wondering if this is a good way to secure my database. Essentially I am sending my own API key. Is this even doing anything useful, or would this be easy to overcome.
If this is horrible, what is the standard way to approach this?
Below is the php file
<?php
//Check if insert function exists
$apiKey = "6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF";
if(function_exists($_GET['insert']) && ($_GET['key'])==$apiKey) {
$id = $_GET['id'];
$first=$_GET['first'];
$last = $_GET['last'];
//If found, call the function inser with value as a parameter
$_GET['insert']($id,$first,$last);
}
?>
The web request looks like (from an iOS app);
NSURL*url=[NSURL URLWithString:@"http://localhost/Tutorials/index.php?insert=insert&id=9000&first=YOOOO&last=LOOOO&key=6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF"];
//URL request
NSURLRequest*request=[NSURLRequest requestWithURL:url];
//Set the connection
connection = [NSURLConnection connectionWithRequest:request delegate:self];
if (connection) {
webData=[[NSMutableData alloc]init];
}
Answer
Solution:
To demonstrate how insecure it is, I could request this page:
Unless some configuration blocks it, this will wipe your server's drive as much as PHP has access to it (which will probably be your entire website)
Instead, you should create a list of valid functions, and refer to them by ID. Store the functions in an array, and get the index pointed to by a GET parameter.
Answer
Solution:
Yes that is not secure, you can force the client into a HTTPS connection, or use some kind of two way encryption, because the way is very insecure.
Have a look here:
http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/