Let me tell you my dilemma

For everything that's not in any way related to PureBasic. General chat etc...
User avatar
doctorized
Addict
Addict
Posts: 854
Joined: Fri Mar 27, 2009 9:41 am
Location: Athens, Greece

Let me tell you my dilemma

Post by doctorized »

Since a few months ago, I have a dilemma. I want to make a project that will access a database. As the db will be accessed by many computers, not all in the same physical building, the db must be on a server. In my profession, we use some servers for mail, hosting, etc. Those servers, running Linux (RedHat x64) offer db hosting that can be accessed only by php and edited by phpmyadmin, no other way. So, in my case, there are two solutions:
1) make a php project that will access the db and do all the work (authentication, show data, forms for input, etc).
2) make a PB app which will communicate with a web service that will do read/write from /to the db.
In both cases, security is needed. The server supports TLS but pages are shown via http, no https. So my php files will have no security. On the other hand, the web service needs to run 24/7. I don't have the right to do it. I don't know how to do. I have tried to contact with the server stuff with no success. I prefer the second one as it is easier to make the client and the web service (don't know to connect with TLS but I know to use AES, even QAES which was posted in Tips and tricks a few weeks ago with PB's native network commands).

So, if you were me, what would you do?

(If I were me, I would change planet to find peace of mind.)
User avatar
doctorized
Addict
Addict
Posts: 854
Joined: Fri Mar 27, 2009 9:41 am
Location: Athens, Greece

Re: Let me tell you my dilemma

Post by doctorized »

A friend gave me a good advice. Have a php file in the web service role to do the db job for PB clients. I am thinking of this: php needs db name and password to access the db. Also the user needs authentication. So, the PB client makes a string like:

Code: Select all

dbname="...."|dbpass="..."|username="...."|userpass="..."|query="....."
that string will be AES encrypted and then pass through Base64 to become text, I add initial's string CRC code (for validity) at the end of Base64 and send it to the php. The php file will decrypt the string and use it to run the query. If db name and password are wrong or username and password are wrong then no query execution.

There is a disadvantage in this solution. Db name and password must be known to the client. I am thinking to store them in pre-encrypted Base64 string with AES (different key) and some other XOR procedures that I have. If someone downloads php file, these strings will be useless without my app.

So, what do you think?
User avatar
Mijikai
Addict
Addict
Posts: 1360
Joined: Sun Sep 11, 2016 2:17 pm

Re: Let me tell you my dilemma

Post by Mijikai »

Maybe u can use a unique UserId instead of Password and Username.
User avatar
Bisonte
Addict
Addict
Posts: 1226
Joined: Tue Oct 09, 2007 2:15 am

Re: Let me tell you my dilemma

Post by Bisonte »

dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
so all the db stuff is doing with php and pb is only to send the requests.
PureBasic 6.04 LTS (Windows x86/x64) | Windows10 Pro x64 | Asus TUF X570 Gaming Plus | R9 5900X | 64GB RAM | GeForce RTX 3080 TI iChill X4 | HAF XF Evo | build by vannicom​​
English is not my native language... (I often use DeepL to translate my texts.)
infratec
Always Here
Always Here
Posts: 6817
Joined: Sun Sep 07, 2008 12:45 pm
Location: Germany

Re: Let me tell you my dilemma

Post by infratec »

One other idea:

replace the libmariadb and lib with the one from:

https://mariadb.com/download-confirmati ... 11.57%20MB

Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.

I can not try it at the moment.
User avatar
doctorized
Addict
Addict
Posts: 854
Joined: Fri Mar 27, 2009 9:41 am
Location: Athens, Greece

Re: Let me tell you my dilemma

Post by doctorized »

Bisonte wrote:dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
before entering phpmyadmin the db managing system tells me the db name and password. Without them the php cannot connect.
Bisonte wrote:so all the db stuff is doing with php and pb is only to send the requests.
exactly!
infratec wrote:One other idea:

replace the libmariadb and lib with the one from:

https://mariadb.com/download-confirmati ... 11.57%20MB

Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.

I can not try it at the moment.
I don't have hands on the server, I am just a user, not admin. Can I still install it on Linux? The server has cURL, can it be useful?

EDIT : the server supports TLS, I've seen it in Filezilla when it connects to upload files.

Mijikai wrote:Maybe u can use a unique UserId instead of Password and Username.
How will the user authenticate? Create a hush with the credentials and save it to the db?
Post Reply