-1

I am currently developing a website and a web app (different code) that will share the same data, and this data is stored inside a database. I made it this way:

I have two domains

Domain 1 -> contains the utilities (ie. php files to query the db)

Domain 2 -> contains the website

from domain2 i send a request to http://domain1.com/utilities/php/domain2/get_from_db.php and this gives me back the result i need.

My fear is that this is no secure, as the files are somehow exposed?

It used to be an empty website, and if you were to navigate to http://domain1.com/ the file structure was visible. I now created an empty index.php file, so that the file structure is not visible anymore.

I have the impression this is still not really secure, am i correct?

the database files are the following:

config.ini

get_from_db.php

the get_from_db.php has this code to connect and get the data back from the db:

header("Access-Control-Allow-Origin: http://domain2.com");
$db = new mysqli($host, $config['username'], $config['password'], $config['dbName');

if ($db->connect_errno > 0) {
    die('Unable to connect to database [' . $db->connect_error . ']');
}

if (mysqli_connect_errno()) {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}


class data
{
    public $id = "";
    public $col1 = "";
    public $col2 = "";
    public $col3 = "";
    public $col4 = "";
}

$sql = "SELECT * FROM myDb.myTable";
$result = mysqli_query($db, $sql) or die(mysqli_error($db));

$obj = array();

while ($row = $result->fetch_assoc()) {
    $col1 = $row['col1'];
    $col2 = $row['col2'];
    $col3 = $row['col3'];
    $col4 = $row['col4'];

    $e = new cvdata();
    $e->col1 = $skills;
    $e->col2 = $hobbies;
    $e->col3 = $education;
    $e->col4 = $experience;
    array_push($obj, $e);

}

echo json_encode($obj);

now, my final question is:

Is this level of security enough? (I mean, I know about login and so on, but this is a very simple project and the data should be available to everyone tries to use the website or the app as it is not sensitive at all (it is just some project's details, that's all))

Thanks for any help, suggestion or advice

Community
  • 1
  • 1
Nick
  • 13,493
  • 8
  • 51
  • 98
  • 1
    Regarding part of your question - you should be able to configure your web server to not list the contents of directories. In Apache, for example: https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing – Don't Panic May 26 '17 at 21:24
  • Are you sending requests to domain1 from scripts that run on the domain2 client or server? If they're coming from the server, you can use a simple password-style authentication in the requests. If they're coming from the client, you need something more complicated, to prevent users from capturing the traffic and spoofing it. – Barmar May 26 '17 at 22:15

1 Answers1

1

That depends on how sensitive your data is. If we're talking about pretty serious data, I'd try to use a JWT-esque token authorization system, but if it's just minor things, like e.g. the menu card of a restaurant, I'd set domain2 to be the only one capable of making cross-origin HTTP requests and be done with it.

What you however should do is take the config.ini out of your visible path. Lower it to a level where it's only accessible through the filesystem, but not via http://domain2.com/config.ini

sushibrain
  • 2,712
  • 5
  • 33
  • 62
  • the only possible way to access config.ini is via http://domain1.com/utilities/php/domain2/config.ini - How can i take it out from my visible path? where's the best place to put this files like this in a server? – Nick May 26 '17 at 21:06
  • In your folder structure, you should have a folder named `httpdocs` or `www`, or something like that. Everything within that folder is accessible to the public (if not secured). What I usually do is create a folder called `config` on the same level as that `www` folder. So it's findable for me, through the filesystem, but not via a browser. @Nick – sushibrain May 26 '17 at 21:08