API security in PHP(Simple oauth type implementation in PHP)

Question

I am planning to implement the following architecture to secure my API. I am not maintaining any session and API will be called from Android, iOS and WEB Pages. Client will be given public and private key pair at the time of deployment. I don't want to use HTTPS .

My code is as Follow:

<?php

class Auth {

function is_valid_request(){
    $header=apache_request_headers();

        $authorization=$_POST['authorization'];//client will create this by same rule as my_algo_to_generate_hash().
        $public_key=$_POST['public_key'];
        $time=$_POST['time'];
        $secret_key=mysql_result(mysql_query("SELECT private_key FROM auth WHERE public_key='$public_key'"),0);
        $hash=my_algo_to_generate_hash($public_key, $secret_key);//this is dummy.
        if($hash===$authorization){
            $token=sha1('some really random strings');
            mysql_query("INSERT INTO tokens (token) VALUES ('$token')");
            return $token;
        }
        return false;

}

function is_valid_user(){
    if($this->is_valid_request()){
        $user=$_POST['email'];
        $pass=$_POST['pass'];
        $token=$_POST['token'];
        if (mysql_num_rows(mysql_query("SELECT id FROM tokens WHERE token='$token' "))) {
            $query=mysql_query("SELECT user_id FROM users WHERE email='$email' AND password='$pass'");
            if (mysql_num_rows($query)) {
                $access_token=my_algo_to_generate_hash($email,$password);
                $refresh_token=my_algo_to_generate_hash();
                mysql_query("UPDATE users SET access_token='$access_token', refresh_token='$refresh_token' WHERE email='$email'");
                return array(
                    'access_token'=>$access_token,
                    'expire_time'=>$some_time,
                    'refresh_token'=>$refresh_token
                    //return false in all other case
                    );
            }
        }
    }
}

function is_logged_in(){
    $access_token=$_POST['access_token'];
    $time=$_SERVER['REQUEST_TIME'];
    $some_time='time to which access_token is valid';//how much it should be?
    $query=mysql_query("SELECT user_id FROM users WHERE access_token='$access_token' AND TIMESTAMPDIFF(seconds,'$time' ,access_token_created_at)<'$time'");
    if(mysql_num_rows(result)){
        return true;
    }
    return false;
}

}

How secure this architecture is for connection over HTTP?

Ignore the code level security, such as sql injection or hashing algo or anything related to the script. Just look for logic and architecture.

`I don't want to use HTTPS` then you got first design flaw... — Marcin Orlowski, Nov 24 '14 at 09:53
@MarcinOrlowski So are you telling that without HTTPS all API's are insecure?? — Mayank Kumar, Nov 24 '14 at 10:13
@MayankKumar yes, they are, because all data is sent as unencrypted text when using HTTP. — low_rents, Nov 24 '14 at 10:15
@MayankKumar from [Wikipedia](http://en.wikipedia.org/wiki/HTTP_Secure#Difference_from_HTTP): "HTTP is insecure and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information." — low_rents, Nov 24 '14 at 10:34
@northkildonan If you look clearly at my architecture you would have understand that this could take care of MITM and Replay attack. Because there is no sharing of of secret key over the wire. Even if some one get access to the access token, per access token only one request is valid. so no MITM and replay attack. Please man be serious. — Mayank Kumar, Nov 24 '14 at 10:53
@MayankKumar sorry, but you seem to have no idea of what you are actually asking. you are talking about security over HTTP connection - and, as it seems your `$_POST` vars are the only interface to HTTP in your script. Now you are talking something about your database logic, where it's obvious that your local database can't be targeted by HTTP attacks as long as you use parameters. so either your question is wrong (or very unclear) or my answer is right. — low_rents, Nov 24 '14 at 10:59

score 0 · Answer 1 · edited May 23 '17 at 11:50

0

edit

it's hard to find out what you are really looking for. you are talking about connection-security over HTTP. your only openings to HTTP are your $_POST vars (unless you are running PHP < 5.3 and register_globals = on), the rest of your code is server-side stuff .

your $_POST vars will be a problem, as long as you don't use MySQL parameters of any kind. but since there is nothing else affected by a HTTP connection, there is nothing more to say about it.

old answer

This is not secure at all, since you are using the old and deprecated PHP MySQL Library: http://php.net/manual/en/intro.mysql.php

Furthermore it is vulnerable to MySQL Injections. That's mentioned multiple times here on SO, see this answer for example: https://stackoverflow.com/a/60496/3391783

You should really switch to the newer PHP libraries like "mysqli" or "PDO" and use MySQL parameters to prevent SQL injections.

edited May 23 '17 at 11:50

Community

1
1

answered Nov 24 '14 at 09:41

low_rents

4,481
3
27
55

Please read full question. I already told that look only for architecture. – Mayank Kumar Nov 24 '14 at 09:48
@MayankKumar well, if you got such security issues in your `mysql` part already, then it's hard to look for other issues. fix the obvious issues first, then edit your question or ask again. – low_rents Nov 24 '14 at 09:55
Hey I am not deploying that code to the server. I am asking here for the architecture and flow. I'll obviously take care of anything else. It seems you have no knowledge of architecture and logic that's why you are so much behind the code. This code is only for demonstration purposes. – Mayank Kumar Nov 24 '14 at 09:57
ok, then: this **architecture** is not secure for connection over HTTP since it will get SQL-injected via HTTP. better? – low_rents Nov 24 '14 at 10:02
no, not better. Before deployment to the server I'll implement db connection via PDO. I will use more secure hashing mechanism, IP-address limitation and other such type of things. Hows then? – Mayank Kumar Nov 24 '14 at 10:11
@MayankKumar your only openings to HTTP in your code are the `$_POST`- vars, unless you are running PHP < 5.3 and `register_globals = on` – low_rents Nov 24 '14 at 10:17

API security in PHP(Simple oauth type implementation in PHP)

1 Answers1