Shared Hosting (Solved)
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Re: Shared Hosting
Hi all,
I have tested out both ways using hostm API and bangkok's way of establishing a secure connection to the database. Bangkok's way was the easier way to get things done and it is so much simpler than using the API. I like to thank everyone for their input that has given me great advice in this thread.
Thank you!
I have tested out both ways using hostm API and bangkok's way of establishing a secure connection to the database. Bangkok's way was the easier way to get things done and it is so much simpler than using the API. I like to thank everyone for their input that has given me great advice in this thread.
Thank you!
Eddie 

-
- VIP Livecode Opensource Backer
- Posts: 10053
- Joined: Sat Apr 08, 2006 7:05 am
- Contact:
Re: Shared Hosting
There is often a spectrum with "simple" at one end and "secure" at the other. Find the place on that line which best fits your project's requirements...
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Shared Hosting
Hi fourthworldFourthWorld wrote: ↑Tue May 05, 2020 8:03 amThere is often a spectrum with "simple" at one end and "secure" at the other. Find the place on that line which best fits your project's requirements...
Do you have any comments on Bangkok’s way of establishing a secure connection? I know as compared to the API it will not be as secured but it’s still a secure way?
Eddie 

Re: Shared Hosting
No it's not. It was just an example to show you the mechanism.
For 2 reasons :
-queries sent by the app to the .lc webpage are not encrypted
-and there are no controls/checks done on the nature of SQL queries that are received (by the .lc webpage and then sent to your DB server)
Now.... your data are probably not "state secret"... However, beware of "SQL injection attacks", if you deal with UPDATE or INSERT (or DELETE) etc.
For encryption, easy. Check encrypt/decrypt commands in LC dictionary.
As for "SQL injection attacks", Google will give you many solutions and ideas.
Re: Shared Hosting
Hi Bangkok,bangkok wrote: ↑Tue May 05, 2020 11:51 am
No it's not. It was just an example to show you the mechanism.
For 2 reasons :
-queries sent by the app to the .lc webpage are not encrypted
-and there are no controls/checks done on the nature of SQL queries that are received (by the .lc webpage and then sent to your DB server)
Now.... your data are probably not "state secret"... However, beware of "SQL injection attacks", if you deal with UPDATE or INSERT (or DELETE) etc.
For encryption, easy. Check encrypt/decrypt commands in LC dictionary.
As for "SQL injection attacks", Google will give you many solutions and ideas.
Thanks for your reply, so am I still connecting to the database directly in this way? Can you point me in the direction on how to
set a control/check on the sql queries received?And when you mean by encrypting the queries, it’s the sql statement? (Select/insert/update)? Will a base64Encode/Decode be fine? For the “SQL injection attacks” I will do more research on Google on how to prevent it.
Eddie 

-
- Livecode Opensource Backer
- Posts: 366
- Joined: Tue Apr 10, 2012 9:18 am
Re: Shared Hosting
Here is a thread on encrypting that I bumbled through a few years back:
https://forums.livecode.com/viewtopic.p ... 2&start=15
When you have lc files on your server that have all of your queries pre-written, that is a type of security: your server does not just accept any sql query sent to it, but only the very specific queries.
Encrypting data you send to your server, and decrypting it on your server, then encrypting the data sent back to your app is another kind of security.
There are layers of security that you can use.
Not telling your friends your password you use everywhere is also a type of security.
https://forums.livecode.com/viewtopic.p ... 2&start=15
When you have lc files on your server that have all of your queries pre-written, that is a type of security: your server does not just accept any sql query sent to it, but only the very specific queries.
Encrypting data you send to your server, and decrypting it on your server, then encrypting the data sent back to your app is another kind of security.
There are layers of security that you can use.
Not telling your friends your password you use everywhere is also a type of security.
-
- VIP Livecode Opensource Backer
- Posts: 10053
- Joined: Sat Apr 08, 2006 7:05 am
- Contact:
Re: Shared Hosting
Both use a server-side script to protect the database, so the main difference between them is merely completeness.
Your server uses HTTPS, yes?
How do you handle user authentication?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Shared Hosting
Hi fourthworld,FourthWorld wrote: ↑Tue May 05, 2020 7:16 pmBoth use a server-side script to protect the database, so the main difference between them is merely completeness.
Your server uses HTTPS, yes?
How do you handle user authentication?
Thanks for the reply and yes my server uses HTTPS. For nowThere’s no user authentication yet because it do not require them to log in/signup
Eddie 

Re: Shared Hosting
Hi ghetto,ghettocottage wrote: ↑Tue May 05, 2020 4:30 pmHere is a thread on encrypting that I bumbled through a few years back:
https://forums.livecode.com/viewtopic.p ... 2&start=15
When you have lc files on your server that have all of your queries pre-written, that is a type of security: your server does not just accept any sql query sent to it, but only the very specific queries.
Encrypting data you send to your server, and decrypting it on your server, then encrypting the data sent back to your app is another kind of security.
There are layers of security that you can use.
Not telling your friends your password you use everywhere is also a type of security.
What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
Eddie 

-
- Livecode Opensource Backer
- Posts: 366
- Joined: Tue Apr 10, 2012 9:18 am
Re: Shared Hosting
There are better ways of doing this, but for the sake of simplifying...What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
Here is an example, with 4 parts. It sends a request from your app to your server and your server sorts through what you are asking it to get to the query you have pre-written in a folder. Assume you have a "people" table and want to search a persons name:
1. on your app you might have a search field that you can type in a name and send that query to your server to search your people table:
Code: Select all
on searchPeople
--get the search term
put empty into tSearch
--the search query from the search field
put fld "search" into tSearch
put word 1 to -1 of tSearch into tSearch
--unless it is empty
if tSearch is empty then
put "%" into tSearch
end if
--get the info to send
put "people" into tTable
put "search" into tType
--encode the type and table
put aesEncode(tType) into tType
put aesEncode(tTable) into tTable
put aesEncode(tSearch) into tSearch
--put the encoded stuff into variable
put "type=" & tType & "&table=" & tTable & "&search=" & tSearch into tStuffToPost
--post it to the server
post tStuffToPost to URL gURL
--decode the response
put aesDecode(it) into tData
//put it into tData
-- check the result and display the data or an error message
if tData contains "revdberr" then
answer error tData
end if
--put it into the datagrid
set the dgText of group "data" to tData
set the dgHilitedLines of grp "data" to 1
if tData is "No Results" then
notifyWindow "No Results", "Your search was empty"
end if
end searchPeople
2. On your server you can have something like this as your index page, which can route your request to the proper files.:
Code: Select all
<?lc
/*****************************************
what sort of post request is this?
*****************************************/
--if this is a DB query then grab the file /db/dbconnect.lc
put $_POST["type"] into tType
if tType is not empty then
include "db/dbconnect.lc"
else --if this is an html request grab the webpage parts
include "parts/header.lc"
include "parts/menu.lc"
include "parts/content.lc"
include "parts/footer.lc"
end if
?>
3. The file db/dbconnect.lc will open your database connection, and look at what tables you want to look at:
Code: Select all
<?lc
/*****************************************
check what sort of db request this is
*****************************************/
//data type and db name
put aesDecode($_POST["type"]) into tType
put aesDecode($_POST["table"]) into tTable
/*****************************************
database connection
*****************************************/
--configure the database settings:
--put tDB into tDatabaseName
put "yourdatabasename" into tDatabaseName
put "yourdatabaseuser" into tDatabaseUser
put "yourdatabasepassword" into tDatabasePassword
--end database settings
--get the db connection
put revOpenDatabase("MySQL", "127.0.0.1", tDatabaseName, tDatabaseUser, tDatabasePassword, true) into gConnectionID
--check that it connected okay
if gConnectionID is not a number then
put "connection not connecting"
else
--continue on if the connection is a number (connected okay)
--include the file with the correct queries
--in this case people/search.lc
include tTable&"/"&tType&".lc"
end if
?>
4. and finally, the file people/search.lc wich has your pre-written sql query to search your people table:
Code: Select all
<?lc
/*****************************************
grab the search query
*****************************************/
put aesDecode($_POST["search"] ) into tSearch
--if it is a name search set the order
put "DESC" into tOrder
put 100 into tLimit
--get the first and last name
put word 1 of tSearch into fName
put word 2 of tSearch into lName
--Search for person by name
put "your.amazing.mysql.query.goes.here.that.searches.your.people.table" into tSQL
end if
/*****************************************
send the results back
*****************************************/
put revDataFromQuery(tab, cr, gConnectionID, tSQL) into tData
--output that data from query and close the connection
if tData is not empty
then put aesEncode(tData)
else put aesEncode("No Results")
--close the database connection
revclosedatabase gConnectionID
?>
Re: Shared Hosting
Hi ghetto, thanks for your help! i understood what you meant by now but i dont think i will use this as of now since it i just developing a simple project, maybe i could just use encrypt the data send to the database, decrypt it and encrypt again before sending back to the app as a form of security measure?ghettocottage wrote: ↑Wed May 06, 2020 5:36 amThere are better ways of doing this, but for the sake of simplifying...What do you mean have my queries pre-written? It looks intriguing , any idea on how to do that? However it seems complex in doing it because there are so many different sql queries that need to be written beforehand.
Here is an example, with 4 parts. It sends a request from your app to your server and your server sorts through what you are asking it to get to the query you have pre-written in a folder. Assume you have a "people" table and want to search a persons name:
1. on your app you might have a search field that you can type in a name and send that query to your server to search your people table:
Code: Select all
on searchPeople --get the search term put empty into tSearch --the search query from the search field put fld "search" into tSearch put word 1 to -1 of tSearch into tSearch --unless it is empty if tSearch is empty then put "%" into tSearch end if --get the info to send put "people" into tTable put "search" into tType --encode the type and table put aesEncode(tType) into tType put aesEncode(tTable) into tTable put aesEncode(tSearch) into tSearch --put the encoded stuff into variable put "type=" & tType & "&table=" & tTable & "&search=" & tSearch into tStuffToPost --post it to the server post tStuffToPost to URL gURL --decode the response put aesDecode(it) into tData //put it into tData -- check the result and display the data or an error message if tData contains "revdberr" then answer error tData end if --put it into the datagrid set the dgText of group "data" to tData set the dgHilitedLines of grp "data" to 1 if tData is "No Results" then notifyWindow "No Results", "Your search was empty" end if end searchPeople
2. On your server you can have something like this as your index page, which can route your request to the proper files.:
Code: Select all
<?lc /***************************************** what sort of post request is this? *****************************************/ --if this is a DB query then grab the file /db/dbconnect.lc put $_POST["type"] into tType if tType is not empty then include "db/dbconnect.lc" else --if this is an html request grab the webpage parts include "parts/header.lc" include "parts/menu.lc" include "parts/content.lc" include "parts/footer.lc" end if ?>
3. The file db/dbconnect.lc will open your database connection, and look at what tables you want to look at:
Code: Select all
<?lc /***************************************** check what sort of db request this is *****************************************/ //data type and db name put aesDecode($_POST["type"]) into tType put aesDecode($_POST["table"]) into tTable /***************************************** database connection *****************************************/ --configure the database settings: --put tDB into tDatabaseName put "yourdatabasename" into tDatabaseName put "yourdatabaseuser" into tDatabaseUser put "yourdatabasepassword" into tDatabasePassword --end database settings --get the db connection put revOpenDatabase("MySQL", "127.0.0.1", tDatabaseName, tDatabaseUser, tDatabasePassword, true) into gConnectionID --check that it connected okay if gConnectionID is not a number then put "connection not connecting" else --continue on if the connection is a number (connected okay) --include the file with the correct queries --in this case people/search.lc include tTable&"/"&tType&".lc" end if ?>
4. and finally, the file people/search.lc wich has your pre-written sql query to search your people table:
Code: Select all
<?lc /***************************************** grab the search query *****************************************/ put aesDecode($_POST["search"] ) into tSearch --if it is a name search set the order put "DESC" into tOrder put 100 into tLimit --get the first and last name put word 1 of tSearch into fName put word 2 of tSearch into lName --Search for person by name put "your.amazing.mysql.query.goes.here.that.searches.your.people.table" into tSQL end if /***************************************** send the results back *****************************************/ put revDataFromQuery(tab, cr, gConnectionID, tSQL) into tData --output that data from query and close the connection if tData is not empty then put aesEncode(tData) else put aesEncode("No Results") --close the database connection revclosedatabase gConnectionID ?>
Thanks anyways!
Eddie 

Re: Shared Hosting
Hi,
I tried using base64encode/decode to encrypt the data sent to the server from and app and vice versa. Any reason why im getting an error output?
App side
Server side
The error/output that im getting is "revdberr,Query was empty"
Thank you!
I tried using base64encode/decode to encrypt the data sent to the server from and app and vice versa. Any reason why im getting an error output?
App side
Code: Select all
on mouseup
---- sending --------
set httpheaders to empty
put "select * from dishes" into tSQLQuery
put "query="&urlencode(tSQLQuery) into tSQLQuery
put base64encode(tSQLQuery) into tSQLQuery1
post tSQLQuery1 to url "https://myurl/mysecretpage.lc"
---- after receiving---------
put it into tResult
put base64decode(tResult) into tResults
answer tResults
end mouseup
Code: Select all
---- Decode data received from app ------
put base64decode($_POST["query"]) into tSQLQuery1
put revOpenDatabase("mysql","127.0.0.1","mydb","mydbusername","mydbpassword") into tDBID
put revDataFromQuery(,,tDBID,tSQLQuery1) into tResults
revclosedatabase tDBID
----- Encode data before sending back to the app ------
put base64encode(tResults) into tResult
put tResult
Thank you!
Eddie 

-
- VIP Livecode Opensource Backer
- Posts: 10053
- Joined: Sat Apr 08, 2006 7:05 am
- Contact:
Re: Shared Hosting
If the system writes data, you'll want some means to differentiate who can do that. If your user can write without authenticating first, so can the bad guys.
Are you familiar with Kyle Rankin?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Shared Hosting
Hi FourthWorld,FourthWorld wrote: ↑Wed May 06, 2020 7:18 amIf the system writes data, you'll want some means to differentiate who can do that. If your user can write without authenticating first, so can the bad guys.
Are you familiar with Kyle Rankin?
What do you mean by that? No, im not familiar with Kyle Rankin...
Eddie 

-
- VIP Livecode Opensource Backer
- Posts: 10053
- Joined: Sat Apr 08, 2006 7:05 am
- Contact:
Re: Shared Hosting
If users don't sign in, how do you distinguish between an authorized submission and an unauthorized one?
Kyle is worth reading it you get a chance. He publishes articles and books often so you'll come across him sooner or later. I got started with server admin from one of his earlier books. Hs most recent, "Linux Hardening in Hostile Networks", provides a good overview not just for devs, but anyone responsible for managing systems with other people's data, or really anything connected to the Internet.
Spoiler: the "hostile networks" part is his book title is an intentional redundancy. As he describes, in the 21st century all networks are best regarded as hostile, with safeguards chosen from that mindset.
Keep in mind that unless you have uncommonly high-value data, the bad guys aren't after your data at all, but they will still try to break in. They'll take any data that may be useful as they come across it, but these days that's not often their goal. What they want is compute resources, control of the server itself, so they can spam, DDoS, mine coins, etc.
In the modern world, even a server that doesn't seem very interesting to us can be very interesting to the bad guys.
So we learn what we can to stay a step ahead of them. And since most of them use fairly predictable scripts, a little study goes a long way in keeping your severs safe.
Kyle is worth reading it you get a chance. He publishes articles and books often so you'll come across him sooner or later. I got started with server admin from one of his earlier books. Hs most recent, "Linux Hardening in Hostile Networks", provides a good overview not just for devs, but anyone responsible for managing systems with other people's data, or really anything connected to the Internet.
Spoiler: the "hostile networks" part is his book title is an intentional redundancy. As he describes, in the 21st century all networks are best regarded as hostile, with safeguards chosen from that mindset.
Keep in mind that unless you have uncommonly high-value data, the bad guys aren't after your data at all, but they will still try to break in. They'll take any data that may be useful as they come across it, but these days that's not often their goal. What they want is compute resources, control of the server itself, so they can spam, DDoS, mine coins, etc.
In the modern world, even a server that doesn't seem very interesting to us can be very interesting to the bad guys.
So we learn what we can to stay a step ahead of them. And since most of them use fairly predictable scripts, a little study goes a long way in keeping your severs safe.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn