-1

I am using curl in php to post data from my local server to a webhost server:

  $post = array('test' => 'this is a test' );
    $url = "https://my-app.000webhostapp.com";
            $curlSesh = curl_init();
            curl_setopt($curlSesh, CURLOPT_URL, $url);
            curl_setopt($curlSesh, CURLOPT_POST, true);
            curl_setopt($curlSesh, CURLOPT_POSTFIELDS, $post);
            curl_setopt($curlSesh, CURLOPT_RETURNTRANSFER, true);
            $response = curl_exec($curlSesh);
            curl_close($curlSesh);
            echo "response: ";
            echo $response;
            if ($response == "validate post")echo ' post has been validated';

On my 000webhost server, I accept the array sent in $post using file put contents:

file_put_contents('incomingData.txt', $_POST["test"]. "\n", FILE_APPEND );

Surely this means that anyone can send a post request to my webhost server with an array key 'test' and that will be placed in my incomingData.txt file? This is extremely unsecure. Is there a way to make it so only my local server data is accepted, or maybe can I encrypt the data in some way? Thanks.

jww
  • 97,681
  • 90
  • 411
  • 885
Ethan SK
  • 736
  • 8
  • 12

2 Answers2

2

To clarify, your data is already being encrypted by using https://. There are a plethora of ways to authenticate your traffic, but a simple way would be to add a "private key" in your post statement.

So you could do 

$post = array('key' => 'some private key', 'text' => ... )

And on the server check to ensure dirty data isn't getting through 

if ($_POST['key'] != 'the key you made')
  die()
mconkin
  • 121
  • 7
  • Ah! I had my suspicions that was how it it done. Thanks! – Ethan SK Mar 30 '17 at 17:03
  • @EthanSK it may be worth noting that this answer presents a significant risk that if the data is compromised then the secret key will be compromised and so all previous communications will be therefore compromised. – Martin Mar 30 '17 at 17:07
  • Yes but surely this is very hard as all data is sent using secure https? – Ethan SK Mar 30 '17 at 17:08
  • True, but @Martin 's answer is much more acceptable for professional code. – mconkin Mar 30 '17 at 17:19
2

To authenticate your data received by your Curl request, beyond reasonable doubt as to its authenticity, you can use HMAC system which is a Hash-based Message Authentication Code and is also what TLS (https) uses to verify the data receieved is the same as the data sent in a transfer.

An HMAC is a small set of data that helps authenticate the nature of message; it protects the integrity (and by extension the authenticity) of the message.

The method is this:

    1. Collect your data you are sending into a single string/array/object value.
    1. Add a secret key
    1. Create a Hash of the combined data + secret key. This is the HMAC
    1. Send the data "payload" and the HMAC to the receiver.
    1. Do NOT send the secret key.
    1. Receiver then collects the Payload, and adds its own copy of the secret key and generates a hash, as the sender did.
    1. If the local HMAC is equal to the HMAC sent over the wise, this shows that the payload data sent is the same as the payload data received.
    1. A BIG advantage to this method is that unlike ma11ocs answer your secret key is never shared or transported in the data (payload) it is protecting.

The secret key is a unique piece of information that is used to compute the HMAC and is known both by the sender and the receiver of the message but is never sent within the message. This key will vary in length depending on the algorithm that you use. Some algorithms are better than others, some such as MD5 should not be used as they're too fast and easily researched.

Links

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • can't I just create my own algorithm that adds 5 and multiplies by 29 for example, and then sends that number using curl, and then on the other server it does the opposite of my algorithm to decrypt it? Surely if I did something similar or a bit more complex, no one would guess it because they do not know what they are even looking for (random password for example) ? – Ethan SK Mar 30 '17 at 17:12
  • @EthanSK are you just sending numerical values? What you describe is very broadly speaking the same system as I have described. The `+5 * 29` is the *secret key* as it works to generate and then decode the data without being sent *in* the data. – Martin Mar 30 '17 at 17:17
  • 1
    @EthanSK ["Schneier's Law"](https://www.schneier.com/blog/archives/2011/04/schneiers_law.html): Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. – zaph Mar 30 '17 at 17:18
  • @Martin well yeah if I sent a numerical value to act as a password of sorts, then wouldn't it just be easier to use my own algorithm rather than implement some complex pre built algorithm? – Ethan SK Mar 30 '17 at 17:36
  • 1
    @EthanSK [No](https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own) (well, yes, if you want to risk it being easily cracked and abused by others, which I doubt you do otherwise you wouldn't care it's on TLS...) – Martin Mar 30 '17 at 18:13
  • @EthanSK Don't ever use a home brewed algorithm when it comes to security and cryptography. This rule literally has 0 exceptions. – Luke Joshua Park Mar 30 '17 at 20:00