C++/CURL - Passing data through PHP request the safe way? -

-

i'm trying send data curl php file , can other actions hashing password/data salt, running database queries eco. seems work fine, there's 1 problem. i'm not sure how secure it, authorization token example. want able query data php file using written application only. can see how become problem, if people had access link through web browser example.

i've included code below, if needs similar.

main.cpp

#include <iostream> #include <stdlib.h> #include <stdio.h> #include <curl/curl.h> #include <sha.h> #include <hex.h>  using namespace std; using namespace cryptopp;  size_t size = 0; size_t write_to_string(void *ptr, size_t size, size_t count, void *stream) {     ((string*)stream)->append((char*)ptr, 0, size*count);     return size*count; }  template <class t> string querydb(initializer_list<t> list) // use initialize_list query undefined number of params {     curl *curl;     curlcode res;      string submitdata = "", query_result;      int = 1;     (auto elem : list) // each param append submitdata string     {         if (i == 1) { // if first param, append "?"             string d = "?" + to_string(i) + "=" + elem;             submitdata.append(d);         } else if (i > 1) { // if not first param, append "&" it's second, third, fourth ... param             string d = "&" + to_string(i) + "=" + elem;             submitdata.append(d);         }         i++;     }      curl_global_init(curl_global_all);     curl = curl_easy_init();      if (curl)     {         string loginurl = string("http://localhost/login.php");          curl_easy_setopt(curl, curlopt_userpwd, "randomhttpuser:randomhttppassword");         curl_easy_setopt(curl, curlopt_url, (loginurl + submitdata).c_str());         curl_easy_setopt(curl, curlopt_writefunction, write_to_string);         curl_easy_setopt(curl, curlopt_writedata, &query_result);         curl_easy_setopt(curl, curlopt_timeout, 20l);         res = curl_easy_perform(curl);          if (res != curle_ok)             fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));         curl_easy_cleanup(curl);     }     else {         query_result = "connection failed";     }     curl_global_cleanup();      return query_result; }  string sha256hash(string input) {     sha256 hash;     string hashed_input;      stringsource ss(input, true, new hashfilter(hash, new hexencoder(new stringsink(hashed_input))));      return hashed_input; }  int main() {     string username = "testuser";     string raw_password = "testpass";      // hash password , send query php file     // query_result hold value of request response     auto hashed_password = sha256hash(raw_password);     auto query_result = querydb({ username, hashed_password });      cout << "=========================================== [ post ] ===========================================" << endl;     cout << "user: " << username.c_str() << endl;     cout << "raw password: " << raw_password.c_str() << endl;     cout << "hashed password: " << hashed_password.c_str() << endl;     cout << "========================================== [ request ] =========================================" << endl;     cout << query_result.c_str() << endl;       sleep(15 * 1000);     return 0; }

login.php

<?php  $reqparams = array();  function addstringtoarray($name,$string) {     global $reqparams;     $reqparams[$name] = $string; }  /* check if specified param exists in reqparams array */ function getrequestparam($value) {     global $reqparams;      if (array_key_exists($value, $reqparams)) {         $returnvalue = $reqparams[$value];     } else {         $returnvalue = "invalid parameter";     }      return $returnvalue; }  $authuser = "randomhttpuser"; $authpw = "randomhttppassword"; $authorized = false;  if (!isset($_server['php_auth_user'])) {     header('www-authenticate: basic realm="my realm"');     header('http/1.0 401 unauthorized');     echo 'failed authorize!';     exit; } else {      if($_server['php_auth_user'] == $authuser && $_server['php_auth_pw'] == $authpw)     {         $authorized = true;     } else {         $authorized = false;         die('failed authorize!');     } }  if($authorized == true) {     /* store each request , it's value in $reqparams array using addstringtoarray function */     foreach ($_request $key => $value)       {         $value = addslashes($value);         $value = strip_tags($value);          addstringtoarray($key, $value);     }      /* should remember in order called params in request query or if want, can use:      $variable = $_request['param_name'];      however, if undefined param specified, result in warning , ruin output, if manually parse */      $user = getrequestparam(1);     $pass = getrequestparam(2);      /* getrequestparam returns 'invalid_parameter' instead of warning undefined param requested */     $invalid_param = getrequestparam(42);      /* re-hash password salt that's stored in php file only, before using or comparing value stored in database or doing whatever else */     $salt = $user . $pass . "secretkey42";     $salt_hashed_passsword = strtoupper(hash('sha256', $salt));      echo "user: $user";     echo "\nhashed password: $salt_hashed_passsword (salt)"; }  ?>

edit: use http header, isn't possible reverse application , abuse it?

edit: decided use http authentication temporary measure.

i stored random generated username , password in php file , compare them php_auth_user/pw sent in http header cpp application using curlopt_userpwd:

curl_easy_setopt(curl, curlopt_userpwd, "randomhttpusername:randomhttppassword");

hopefully, @ least make bit harder hacker. first have re application the user/password , after can query response if password belongs specified user or not - since of queries hard coded. store number of failed logins , temporarily ban him x amount of time. rest of queries made after login returns true.

i've updated code above use changes i've made , added comments if you're lazy go on code line-by-line. feel free give me tips on how improve code or optimize better use.

from understood, want implement sort of login system using auth tokens. in case, oauth can job. here's tutorial written on sitepoint can guide through process.


Comments

Post a Comment

Popular posts from this blog

html - Firefox flex bug applied to buttons? -

-
i'm trying apply flex button on firefox i'm having problem on chrome doesn't happens. this css: .button { display: inline-flex; align-items: center; } as can see in fiddle, "caret" word moved new line, happens if element <button> tag, <div> works expected. http://codepen.io/anon/pen/xblmgx is firefox bug or there css i'm missing? nevermind, looks "mr firefox" doesn't idea... <button> not implementable (by browsers) in pure css, bit of black box, perspective of css. means don't react in same way e.g. <div> would. this isn't specific flexbox -- e.g. don't render scrollbars if put "overflow:scroll" on button, , don't render table if put "display:table" on it. stepping further, isn't specific <button> . consider <fieldset> , <table> have special rendering behavior: data:text/html,<fieldset style="d
Read more

html - Missing border-right in select on Firefox -

-
Image
when put select div width , padding-left, options have no border on right. more, happend if select have width 118px , parent have 15px of padding left! have idea, going on? my code: <!doctype html> <html> <head lang="en"> </head> <body> <div style="width: 1000px; padding-left: 15px;"> <select style="width: 118px;"> <option>a</option> <option>b</option> <option>c</option> </select> </div> </body> </html> and result: here plunker: click it happend on firefox on windows. tested on 40.0.2 version -webkit-box-sizing: border-box; -moz-box-sizing: border-box; -ms-box-sizing: border-box; box-sizing: border-box; source: https://stackoverflow.com/a/11390432/4431269 source of problem: https://bugzilla.mozilla.org/show_bug.cgi?id=924068 and use of google ! edit: (source of problem, explained) after rea
Read more

c# - two queries in same method -

-
i trying execute 2 queries in same method gives me exception. can red of exception declaring new command there way use same command? string id="hi"; connection.open(); oledbcommand command1 = new oledbcommand(); command1.connection = connection; string query1 = "select * products category='" + combobox1.text + "' , subcategory = '" + combobox2.text + "' , sizes='" + combobox3.text + "'"; command1.commandtext = query1; oledbdatareader reader = command1.executereader(); while (reader.read()) { id = reader[0].tostring(); } textbox1.text = id; string query = "insert category_in (category_id,amount,amount_in) values ('"+ id+"' ,500,300)"; command1.commandtext = query; command1.executenonquery(); messagebox.show("saved"); connection.close();
Read more