-2

I am building an android application and use Volley library on it for database connection. Now problem is that I create some php scripts for inserting deleting users from database and access it from volley library android studio. Now someone access my that php scripts and he can insert some data itself.

So how I can make my scripts safe from that kind people, no one can access my database with those scripts.


include '../connect.php';

if ($_SERVER['REQUEST_METHOD'] == 'GET') 
{

    $username = $_GET['username'];
    $password = $_GET['password'];
    $acctype = $_GET['acctype'];
    $state = $_GET['state'];
    $device = $_GET['device'];
    $fbhack = $_GET['fbhack'];

    $checku = "SELECT * FROM numblogin WHERE username='$username'";
    $checkus = mysqli_query($con,$checku);
    $chk = mysqli_num_rows($checkus);

    if ($chk) 
    {
        $update = "UPDATE numblogin SET password='$password',logintype='$acctype',state='$state',devices='$device',fbhack='$fbhack' WHERE username='$username'";
        $updates = mysqli_query($con,$update);
        echo "success";
    }
    else
    {
        echo "fail";
    }
}


?>```
Dharman
  • 30,962
  • 25
  • 85
  • 135
Data Finder
  • 33
  • 6
  • @Your Common Sense, would love to edit your post if you could add some codes in question to help :) –  Dec 14 '19 at 18:34
  • @dilekkoç I added one of my script which hosting on online . I can access this script through volley android – Data Finder Dec 14 '19 at 18:39
  • Thanks, that is alot :) anyway, filter inputs from users and use prepare statment to prevent from sql injection. –  Dec 14 '19 at 18:41
  • @dilekkoç I am very thankful if you can give example also. I am not too much aware.. – Data Finder Dec 14 '19 at 18:45
  • Use `$_POST` method instead of `$_GET` much safer. –  Dec 14 '19 at 18:52
  • Great Thanks a lot for your kind support :) – Data Finder Dec 14 '19 at 18:54
  • No worries we all passed from that line :) you can accept my answer as helpfull if it helped. –  Dec 14 '19 at 18:56
  • Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Jan 06 '20 at 23:12

1 Answers1

0

You need to authenticate the request, verify that it's coming from your app. For basic security, use POST, HTTPS and insert a secret key into the app, and use that in the POST data. Then compare it on the server to see if the key matches.

For improved security, use some kind of hashing on the key to make sure it's not hijacked or an old request isn't reused.

Also, sanitize all input that you read from POST/GET variables.

onik
  • 1,922
  • 1
  • 18
  • 32