doulu8446 2013-01-20 20:41
浏览 44
已采纳

HTTP身份验证的类型以及如何设计安全数据库? [关闭]

Some months ago i worked on an iOS(iphone) application that allowed users to create some kinds of events and post them as XML/JSON files to a web server. Then through their device they were able to view events from different users etc.

The idea to build the whole thing was pretty basic. When the application launched for the first time , the application connected to an URL and asked for a user id (which is unique for every user). Then every time the user wanted to post something , we used HTTP Basic Authentication and sent as a header the users id and an XML file which contained all the information about the event created. I never worked on the server side , so i had no idea how secure the whole system was.

A few days ago i started working on an application of mine , which is the same idea , so i first started working on the server side(php). Before i started i wanted to see how secure the previous project of mine was and i was shocked there was no security of any kind. Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that. In this case we used HTTP Basic Authentication.

My question now is , what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML) , and how can i design the sign up mechanism so someone cant create a million ids with a simple script.

I don't want to build a super secure application , but one that at least has some basic kind of security. As i am very new to php , you could give me some links to check on what security mechanisms i should use or even better some tutorials. Also if you developed something like this before what kind of security did you use and what would you suggest?

  • 写回答

2条回答 默认 最新

  • dongzhuoxie1244 2013-01-20 21:02
    关注

    Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

    Use SSL to prevent man-in-the-middle attacks.

    So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that.

    That's the nature of network communication. Use heuristics to limit the amount of unwanted data. Some examples:

    1. A single user_id can create at most one event per second.
    2. Let the client sign the request for a user_id and verify the signature on the server.

    These are not sure-fire ways to prevent abuse, but there is no total security. The suggested methods will keep out most of the script kiddies, though.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 Arcgis相交分析无法绘制一个或多个图形
  • ¥15 seatunnel-web使用SQL组件时候后台报错,无法找到表格
  • ¥15 fpga自动售货机数码管(相关搜索:数字时钟)
  • ¥15 用前端向数据库插入数据,通过debug发现数据能走到后端,但是放行之后就会提示错误
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)