Shared Hosting (Solved)

Anything beyond the basics in using the LiveCode language. Share your handlers, functions and magic here.

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Tue May 05, 2020 7:36 am

Hi all,

I have tested out both ways using hostm API and bangkok's way of establishing a secure connection to the database. Bangkok's way was the easier way to get things done and it is so much simpler than using the API. I like to thank everyone for their input that has given me great advice in this thread.

Thank you!
Eddie :D

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 10053
Joined: Sat Apr 08, 2006 7:05 am
Contact:

Re: Shared Hosting

Post by FourthWorld » Tue May 05, 2020 8:03 am

EddieLee wrote:
Tue May 05, 2020 7:36 am
I have tested out both ways using hostm API and bangkok's way of establishing a secure connection to the database. Bangkok's way was the easier way to get things done and it is so much simpler than using the API.
There is often a spectrum with "simple" at one end and "secure" at the other. Find the place on that line which best fits your project's requirements...
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Tue May 05, 2020 8:26 am

FourthWorld wrote:
Tue May 05, 2020 8:03 am
EddieLee wrote:
Tue May 05, 2020 7:36 am
I have tested out both ways using hostm API and bangkok's way of establishing a secure connection to the database. Bangkok's way was the easier way to get things done and it is so much simpler than using the API.
There is often a spectrum with "simple" at one end and "secure" at the other. Find the place on that line which best fits your project's requirements...
Hi fourthworld

Do you have any comments on Bangkok’s way of establishing a secure connection? I know as compared to the API it will not be as secured but it’s still a secure way?
Eddie :D

bangkok
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 937
Joined: Fri Aug 15, 2008 7:15 am

Re: Shared Hosting

Post by bangkok » Tue May 05, 2020 11:51 am

EddieLee wrote:
Tue May 05, 2020 8:26 am
Do you have any comments on Bangkok’s way of establishing a secure connection? I know as compared to the API it will not be as secured but it’s still a secure way?
No it's not. It was just an example to show you the mechanism.

For 2 reasons :
-queries sent by the app to the .lc webpage are not encrypted

-and there are no controls/checks done on the nature of SQL queries that are received (by the .lc webpage and then sent to your DB server)

Now.... your data are probably not "state secret"... However, beware of "SQL injection attacks", if you deal with UPDATE or INSERT (or DELETE) etc.

For encryption, easy. Check encrypt/decrypt commands in LC dictionary.

As for "SQL injection attacks", Google will give you many solutions and ideas.

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Tue May 05, 2020 12:34 pm

bangkok wrote:
Tue May 05, 2020 11:51 am

No it's not. It was just an example to show you the mechanism.

For 2 reasons :
-queries sent by the app to the .lc webpage are not encrypted

-and there are no controls/checks done on the nature of SQL queries that are received (by the .lc webpage and then sent to your DB server)

Now.... your data are probably not "state secret"... However, beware of "SQL injection attacks", if you deal with UPDATE or INSERT (or DELETE) etc.

For encryption, easy. Check encrypt/decrypt commands in LC dictionary.

As for "SQL injection attacks", Google will give you many solutions and ideas.
Hi Bangkok,

Thanks for your reply, so am I still connecting to the database directly in this way? Can you point me in the direction on how to
set a control/check on the sql queries received?And when you mean by encrypting the queries, it’s the sql statement? (Select/insert/update)? Will a base64Encode/Decode be fine? For the “SQL injection attacks” I will do more research on Google on how to prevent it.
Eddie :D

ghettocottage
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 366
Joined: Tue Apr 10, 2012 9:18 am

Re: Shared Hosting

Post by ghettocottage » Tue May 05, 2020 4:30 pm

Here is a thread on encrypting that I bumbled through a few years back:
https://forums.livecode.com/viewtopic.p ... 2&start=15



When you have lc files on your server that have all of your queries pre-written, that is a type of security: your server does not just accept any sql query sent to it, but only the very specific queries.

Encrypting data you send to your server, and decrypting it on your server, then encrypting the data sent back to your app is another kind of security.

There are layers of security that you can use.

Not telling your friends your password you use everywhere is also a type of security.

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 10053
Joined: Sat Apr 08, 2006 7:05 am
Contact:

Re: Shared Hosting

Post by FourthWorld » Tue May 05, 2020 7:16 pm

EddieLee wrote:
Tue May 05, 2020 8:26 am
Do you have any comments on Bangkok’s way of establishing a secure connection? I know as compared to the API it will not be as secured but it’s still a secure way?
Both use a server-side script to protect the database, so the main difference between them is merely completeness.

Your server uses HTTPS, yes?

How do you handle user authentication?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Wed May 06, 2020 3:34 am

FourthWorld wrote:
Tue May 05, 2020 7:16 pm
EddieLee wrote:
Tue May 05, 2020 8:26 am
Do you have any comments on Bangkok’s way of establishing a secure connection? I know as compared to the API it will not be as secured but it’s still a secure way?
Both use a server-side script to protect the database, so the main difference between them is merely completeness.

Your server uses HTTPS, yes?

How do you handle user authentication?
Hi fourthworld,

Thanks for the reply and yes my server uses HTTPS. For nowThere’s no user authentication yet because it do not require them to log in/signup
Eddie :D

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Wed May 06, 2020 3:39 am

ghettocottage wrote:
Tue May 05, 2020 4:30 pm
Here is a thread on encrypting that I bumbled through a few years back:
https://forums.livecode.com/viewtopic.p ... 2&start=15



When you have lc files on your server that have all of your queries pre-written, that is a type of security: your server does not just accept any sql query sent to it, but only the very specific queries.

Encrypting data you send to your server, and decrypting it on your server, then encrypting the data sent back to your app is another kind of security.

There are layers of security that you can use.

Not telling your friends your password you use everywhere is also a type of security.
Hi ghetto,

What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
Eddie :D

ghettocottage
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 366
Joined: Tue Apr 10, 2012 9:18 am

Re: Shared Hosting

Post by ghettocottage » Wed May 06, 2020 5:36 am

What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
There are better ways of doing this, but for the sake of simplifying...

Here is an example, with 4 parts. It sends a request from your app to your server and your server sorts through what you are asking it to get to the query you have pre-written in a folder. Assume you have a "people" table and want to search a persons name:

1. on your app you might have a search field that you can type in a name and send that query to your server to search your people table:

Code: Select all

on searchPeople
   --get the search term
   put empty into tSearch
   --the search query from the search field
   put fld "search"  into tSearch
   put word 1 to -1 of  tSearch into  tSearch
   --unless it is empty 
   if tSearch is empty   then
      put "%" into tSearch
   end if
   
   --get the info to send
   put "people" into tTable
   put "search" into tType
   --encode the type and table
   put aesEncode(tType) into tType
   put aesEncode(tTable) into tTable
   put aesEncode(tSearch) into tSearch
   --put the encoded stuff into variable
   put "type=" & tType & "&table=" & tTable & "&search=" & tSearch into tStuffToPost   
   
   --post it to the server
   post tStuffToPost to URL gURL
   
   --decode the response
  put aesDecode(it) into tData
   //put it into tData
   
   
   -- check the result and display the data or an error message
   if tData  contains "revdberr" then
      answer error tData 
   end if
   --put it into the datagrid 
   set the dgText of group "data" to tData 
   set the dgHilitedLines of grp "data" to 1

   if tData is "No Results" then
      notifyWindow "No Results", "Your search was empty"
   end if
end searchPeople



2. On your server you can have something like this as your index page, which can route your request to the proper files.:

Code: Select all

<?lc
/*****************************************
 what sort of post request is this?
*****************************************/
       --if this is a DB query then grab the file /db/dbconnect.lc
      	  put  $_POST["type"] into tType
      	  if tType is not empty  then
      	  include "db/dbconnect.lc"

      	else --if this is an html request grab the webpage parts
     
      	  include "parts/header.lc"
      	  include "parts/menu.lc"
           include "parts/content.lc"
      	  include "parts/footer.lc"
	   end if

?>

3. The file db/dbconnect.lc will open your database connection, and look at what tables you want to look at:

Code: Select all

<?lc


	/*****************************************
		check what sort of db request this is
	 *****************************************/

		//data type and db name
		put aesDecode($_POST["type"]) into tType
		put aesDecode($_POST["table"]) into tTable

        
	/*****************************************
	       database connection
	*****************************************/
		--configure the database settings:
		--put tDB into tDatabaseName
		put "yourdatabasename" into tDatabaseName
		put "yourdatabaseuser" into tDatabaseUser
		put "yourdatabasepassword" into tDatabasePassword
		--end database settings

		--get the db connection
                 put revOpenDatabase("MySQL",  "127.0.0.1", tDatabaseName, tDatabaseUser, tDatabasePassword, true) into gConnectionID

		--check that it connected okay
		  if gConnectionID is not a number then
			put "connection not connecting"
		  else
		--continue on if the connection is a number (connected okay)

		--include the file with the correct queries
		--in this case people/search.lc
		
		        include tTable&"/"&tType&".lc"

		 end if 
?>

4. and finally, the file people/search.lc wich has your pre-written sql query to search your people table:

Code: Select all

<?lc

/*****************************************
	grab the search query
*****************************************/
put  aesDecode($_POST["search"] ) into tSearch


	--if it is a name search set the order
	put "DESC" into tOrder
	put 100 into tLimit
	--get the first and last name
	put word 1 of tSearch into fName
	put word 2 of tSearch into lName 



--Search for person by name
	put 	"your.amazing.mysql.query.goes.here.that.searches.your.people.table"  into tSQL

end if

/*****************************************
	send the results back 
*****************************************/
put revDataFromQuery(tab, cr, gConnectionID, tSQL) into tData

--output that data from query and close the connection
if tData is not empty
	then put aesEncode(tData)

else  put aesEncode("No Results")
--close the database connection
revclosedatabase gConnectionID

 ?> 

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Wed May 06, 2020 5:58 am

ghettocottage wrote:
Wed May 06, 2020 5:36 am
What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
There are better ways of doing this, but for the sake of simplifying...

Here is an example, with 4 parts. It sends a request from your app to your server and your server sorts through what you are asking it to get to the query you have pre-written in a folder. Assume you have a "people" table and want to search a persons name:

1. on your app you might have a search field that you can type in a name and send that query to your server to search your people table:

Code: Select all

on searchPeople
   --get the search term
   put empty into tSearch
   --the search query from the search field
   put fld "search"  into tSearch
   put word 1 to -1 of  tSearch into  tSearch
   --unless it is empty 
   if tSearch is empty   then
      put "%" into tSearch
   end if
   
   --get the info to send
   put "people" into tTable
   put "search" into tType
   --encode the type and table
   put aesEncode(tType) into tType
   put aesEncode(tTable) into tTable
   put aesEncode(tSearch) into tSearch
   --put the encoded stuff into variable
   put "type=" & tType & "&table=" & tTable & "&search=" & tSearch into tStuffToPost   
   
   --post it to the server
   post tStuffToPost to URL gURL
   
   --decode the response
  put aesDecode(it) into tData
   //put it into tData
   
   
   -- check the result and display the data or an error message
   if tData  contains "revdberr" then
      answer error tData 
   end if
   --put it into the datagrid 
   set the dgText of group "data" to tData 
   set the dgHilitedLines of grp "data" to 1

   if tData is "No Results" then
      notifyWindow "No Results", "Your search was empty"
   end if
end searchPeople



2. On your server you can have something like this as your index page, which can route your request to the proper files.:

Code: Select all

<?lc
/*****************************************
 what sort of post request is this?
*****************************************/
       --if this is a DB query then grab the file /db/dbconnect.lc
      	  put  $_POST["type"] into tType
      	  if tType is not empty  then
      	  include "db/dbconnect.lc"

      	else --if this is an html request grab the webpage parts
     
      	  include "parts/header.lc"
      	  include "parts/menu.lc"
           include "parts/content.lc"
      	  include "parts/footer.lc"
	   end if

?>

3. The file db/dbconnect.lc will open your database connection, and look at what tables you want to look at:

Code: Select all

<?lc


	/*****************************************
		check what sort of db request this is
	 *****************************************/

		//data type and db name
		put aesDecode($_POST["type"]) into tType
		put aesDecode($_POST["table"]) into tTable

        
	/*****************************************
	       database connection
	*****************************************/
		--configure the database settings:
		--put tDB into tDatabaseName
		put "yourdatabasename" into tDatabaseName
		put "yourdatabaseuser" into tDatabaseUser
		put "yourdatabasepassword" into tDatabasePassword
		--end database settings

		--get the db connection
                 put revOpenDatabase("MySQL",  "127.0.0.1", tDatabaseName, tDatabaseUser, tDatabasePassword, true) into gConnectionID

		--check that it connected okay
		  if gConnectionID is not a number then
			put "connection not connecting"
		  else
		--continue on if the connection is a number (connected okay)

		--include the file with the correct queries
		--in this case people/search.lc
		
		        include tTable&"/"&tType&".lc"

		 end if 
?>

4. and finally, the file people/search.lc wich has your pre-written sql query to search your people table:

Code: Select all

<?lc

/*****************************************
	grab the search query
*****************************************/
put  aesDecode($_POST["search"] ) into tSearch


	--if it is a name search set the order
	put "DESC" into tOrder
	put 100 into tLimit
	--get the first and last name
	put word 1 of tSearch into fName
	put word 2 of tSearch into lName 



--Search for person by name
	put 	"your.amazing.mysql.query.goes.here.that.searches.your.people.table"  into tSQL

end if

/*****************************************
	send the results back 
*****************************************/
put revDataFromQuery(tab, cr, gConnectionID, tSQL) into tData

--output that data from query and close the connection
if tData is not empty
	then put aesEncode(tData)

else  put aesEncode("No Results")
--close the database connection
revclosedatabase gConnectionID

 ?> 
Hi ghetto, thanks for your help! i understood what you meant by now but i dont think i will use this as of now since it i just developing a simple project, maybe i could just use encrypt the data send to the database, decrypt it and encrypt again before sending back to the app as a form of security measure?

Thanks anyways!
Eddie :D

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Wed May 06, 2020 6:37 am

Hi,

I tried using base64encode/decode to encrypt the data sent to the server from and app and vice versa. Any reason why im getting an error output?

App side

Code: Select all

on mouseup
---- sending --------
   set httpheaders to empty
   put "select * from dishes" into tSQLQuery
   put "query="&urlencode(tSQLQuery) into tSQLQuery
   put base64encode(tSQLQuery) into tSQLQuery1
   post tSQLQuery1 to url "https://myurl/mysecretpage.lc"

---- after receiving---------   
   put it into tResult        
   put base64decode(tResult) into tResults
   answer tResults
end mouseup
Server side

Code: Select all

---- Decode data received from app ------
put base64decode($_POST["query"]) into tSQLQuery1   
put revOpenDatabase("mysql","127.0.0.1","mydb","mydbusername","mydbpassword") into tDBID
put revDataFromQuery(,,tDBID,tSQLQuery1) into tResults  
revclosedatabase tDBID 

----- Encode data before sending back to the app ------
put base64encode(tResults) into tResult
put tResult
The error/output that im getting is "revdberr,Query was empty"

Thank you!
Eddie :D

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 10053
Joined: Sat Apr 08, 2006 7:05 am
Contact:

Re: Shared Hosting

Post by FourthWorld » Wed May 06, 2020 7:18 am

EddieLee wrote:
Wed May 06, 2020 3:34 am
For nowThere’s no user authentication yet because it do not require them to log in/signup
If the system writes data, you'll want some means to differentiate who can do that. If your user can write without authenticating first, so can the bad guys.

Are you familiar with Kyle Rankin?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

EddieLee
Posts: 118
Joined: Thu Oct 25, 2018 1:06 pm

Re: Shared Hosting

Post by EddieLee » Wed May 06, 2020 8:31 am

FourthWorld wrote:
Wed May 06, 2020 7:18 am
EddieLee wrote:
Wed May 06, 2020 3:34 am
For nowThere’s no user authentication yet because it do not require them to log in/signup
If the system writes data, you'll want some means to differentiate who can do that. If your user can write without authenticating first, so can the bad guys.

Are you familiar with Kyle Rankin?
Hi FourthWorld,

What do you mean by that? No, im not familiar with Kyle Rankin...
Eddie :D

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 10053
Joined: Sat Apr 08, 2006 7:05 am
Contact:

Re: Shared Hosting

Post by FourthWorld » Wed May 06, 2020 9:14 am

If users don't sign in, how do you distinguish between an authorized submission and an unauthorized one?

Kyle is worth reading it you get a chance. He publishes articles and books often so you'll come across him sooner or later. I got started with server admin from one of his earlier books. Hs most recent, "Linux Hardening in Hostile Networks", provides a good overview not just for devs, but anyone responsible for managing systems with other people's data, or really anything connected to the Internet.

Spoiler: the "hostile networks" part is his book title is an intentional redundancy. As he describes, in the 21st century all networks are best regarded as hostile, with safeguards chosen from that mindset.

Keep in mind that unless you have uncommonly high-value data, the bad guys aren't after your data at all, but they will still try to break in. They'll take any data that may be useful as they come across it, but these days that's not often their goal. What they want is compute resources, control of the server itself, so they can spam, DDoS, mine coins, etc.

In the modern world, even a server that doesn't seem very interesting to us can be very interesting to the bad guys.

So we learn what we can to stay a step ahead of them. And since most of them use fairly predictable scripts, a little study goes a long way in keeping your severs safe.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

Post Reply