MySQL - php script - hack

MIT App Inventor Help
1

Hello.
Can someone advise how I should at least somewhat secure the php scripts on the server side?
Namely: there was a hack in one table ... unknown 10.31.20.12:80 "completed" meaningless rows for me there...
I looked at the access_log, I changed the database password, but I don't know what else to do to prevent it from happening again...

Senior1954

2

Let me suggest you to first get everything up and running and then take care of security

Taifun

3

Why not introduce a secret key, in the same way that Taifun shows in his mysql tutorial. It is a start...

4

Hello.
I tried again with Taifun's php from mysql tutorial with secret key ...

<?php /* * Written By: ShivalWolf * Date: 2011/06/03 * Contact: Shivalwolf@domwolf.net * * UPDATE 2011/04/05 ....... It falls on me immediately at the first If... if( isset($_POST['query']) && isset($_POST['key']) ){ ..... .......... } else { header("HTTP/1.0 400 Bad Request"); echo "Bad Request"; } ?>

obrázok

key and query are:
[["key","secrettt"],["query","SELECT * FROM tblCisAlkohol"]]

obrázok
obrázok1005×536 49.1 KB

Where am I doing wrong?

Senior1954

5

When I sent it .... I guess I see an error ...
In the app there is "key" ... and in php "SQLKEY".
Maybe this is the mistake?
Senior1954

6 
if($_POST['key']==$SQLKEY){                                                           //validates the SQL key
    $query=urldecode($_POST['query']);
    $conn = new mysqli($DB_ADDRESS,$DB_USER,$DB_PASS,$DB_NAME);    //connect
7

Hello.
I use the php script from

does not work...
There is exactly the If as you sent me...
Question:
There is something like:
$key=$_POST["key"];
$query=$_POST["query"];
?
I do not understand that....
I only need a simple script where there is a key and a query.
I create a query in the app and send it to the server...
So far, I have created a php command only on the server in php ... for example:
$input=mysqli_query($conn, "INSERT INTO tblCisAlkohol (ID, Name) VALUES (NULL,'$Name')");
that's probably why they hated me...
Senior1954

8

hack me

9

Probably given you this link before:

10

Well, if you exactly follow the setup instructions then you also will be able to use it... you are not the first person using that solution...

Just use your working setup from here

together with my script

Taifun

11

Do some simple tests:

basic.php:

<?php 
echo "secret\r\n"; 
?>

curl -X POST https://..../basic.php

better.php:

<?php 
$SQLKEY="secret";

if ($_POST['key']==$SQLKEY) {
echo "key and SQLKEY are a match\r\n";
} else {
echo "key is incorrect\r\n";
}
 
?>

curl -d "key=secret" https://.../better.php

(note the \r\n are used to ensure a line return in my terminal)

12

Test result: key is incorrect

13

Really ?

:~$ curl -d "key=secret" https://.../better.php
key and SQLKEY are a match

image

Show YOUR php file for this, and the command you sent. (or blocks used)

14

obrázok

obrázok

obrázok

obrázok
obrázok1135×528 35.2 KB

15

obrázok

16

Can you make a "better.php" with the code provided and just test that ?

17

Unfortunately, the result is: key is incorrect
obrázok

obrázok

18

Show all your blocks for making the connection....

19

obrázok
obrázok808×346 23.7 KB

obrázok

obrázok

obrázok
obrázok1139×390 28.8 KB

obrázok
obrázok906×720 75.2 KB

20

Why all those blocks ?

You only need the blocks I showed above...

Just create a new test project!