dongmeijian1716 2013-11-10 22:02
浏览 37
已采纳

在PHP代码或iOS应用程序代码中存储密码的位置?

Not sure if this is totally code related, but at the least, it's somehow programming/security related.

I have an iPhone mobile app, which sends/retrieves info to/back from my server, which uses PHP to query database. The database needs username and password, unsurprisingly. My question is that I should put the credential in my PHP code or in my iOS app code. If put into PHP page, good thing is that it's on the server, nobody can view the PHP code and gets password, but anyone knows the PHP page can play with it and therefore mess up my db. If put into app code (pass the password to PHP via parameter), good thing is that the PHP page won't function unless password is passed via parameter, but there are couple of disadvantages, I think: password in URL is not safe and password in iOS app in a jail-brake device is not safe either.

One I know a little bit but don't have much know-how is to hash my password in iOS app code, and before passing it to PHP.

  • 写回答

3条回答 默认 最新

  • drqja5919276 2013-11-10 22:09
    关注

    There's lots of ways to do this, I've recently done an app similarly myself. First off, the credentials should definitely live on the server. What you should do is use some sort of hash. The iOS app generates a hash based on several things, a bad example would be

    md5('supersecretkey' . 'asd123')
    

    The first key is in the PHP code and iOS code, the second is randomly generated. So the app calls the script like this:

    script.php?hash=1a79a4d60de6718e8e5b326e338ae533&key=asd123
    

    The script does the function above with the key and the secret key, it now knows that it must have been the iOS app that generated it.

    This is a really simple example of one way of thinking about it, in reality someone could still just decompile the iOS app and get the string, it depends how much you think people are going to try and reverse engineer whatever it is you are writing.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题