Should I pass database user and password in parameters to call a web service to get data from database

Question

This is kind of a basic question. I am writing an Android app which gets the data from a database using a web service. I pass some parameters to the web service and it returns me the data in JSON/XML format. My question is should I pass database username and password as parameter to open a database connection or should I keep these credentials inside the web service? If I keep these credentials inside the service, anyone who knows the location of my web service and the parameters I am passing can access my database and get the data. If I request the caller to pass these credentials as parameters, is it safe to send this information over the internet while calling the web service from the mobile application.

I found this example about securing you data while calling a web service which explains very well that even if you are using https then still this is not safe to send the plain text.

Thanks

Try Oauth, or some system like that. Never send db details from the client side. You can try with some encrypted phrase to identify your client as well — midhunhk, Nov 20 '13 at 09:54

score 3 · Accepted Answer · edited May 23 '17 at 10:31

I think this answer will explain what you are trying to ask.

'silverback' is right. Never request these credentials from the client side, it is not safe. You can simply authenticate the client using some kind of encryption...

Here is an example from to generate authentication token:

(day * 10) + (month * 100) + (year (last 2 digits) * 1000)
for example: 3 June 2011

(3 * 10) + (6 * 100) + (11 * 1000) = 
30 + 600 + 11000 = 11630
then concatenate with user password, example "my4wesomeP4ssword!"

11630my4wesomeP4ssword!
Then do MD5 of that string:

05a9d022d621b64096160683f3afe804
When do you call a request, always use this token,

https://mywebservice.com/?token=05a9d022d621b64096160683f3afe804&op=getdata
This token is always unique everyday, so I guess this kind of protection is more than sufficient to always protect ur service.

Thanks.. the link you provided explains what I wanted to know... :) — AL̲̳I, Nov 20 '13 at 10:10

score 1 · Answer 2 · edited May 23 '17 at 12:19

1

It is better to keep some unique key rather than sending a password and username . If you are concerned about security issues, Then you should do some encryption for credentials at your side as well as serverside. I dont think android client side requuires such tight encryption methods. Use a simple validated key.

Try this : Webservice credentials - OpenID/Android AccountManager? Click here

edited May 23 '17 at 12:19

Community

1
1

answered Nov 20 '13 at 10:12

Viswanath Lekshmanan

9,945
1
40
64

Should I pass database user and password in parameters to call a web service to get data from database

2 Answers2