|
-
Jul 19th, 2016, 05:49 PM
#1
prevent unauthorized posting to a php page
Hey all,
I have a little Arduino web web client I've build that posts data to a php page using http requests. The php page stuffs the data in the request to a database that resides behind my isp's firewall. This is all good and working.
My question is how do I prevent some other application from making the same post and stuffing bogus data into the database?
Do I need to encrypt the content? (I hope not because code space in the Arduino is worth more than my truck)
Is there a way to know where the request came from? even if it's sent from a dynamic ip address?
I could think of a few ways to do this, but would like to know the opinions of the community.
Any insight or tips would be worth a dollar or 2 at least.
thanks
kevin
ps the Arduino doesn't have the horsies to support HTTPS. I could move to the Arduino yun which does, but that is by far a distant alternative.
Last edited by kebo; Jul 19th, 2016 at 06:13 PM.
Process control doesn't give you good quality, it gives you consistent quality.
Good quality comes from consistently doing the right things.
Vague general questions have vague general answers. A $100 donation is required for me to help you if you PM me asking for help. Instructions for donating to one of our local charities will be provided.
______________________________ Last edited by kebo : Now. Reason: superfluous typo's
-
Jul 19th, 2016, 07:01 PM
#2
Re: prevent unauthorized posting to a php page
How secure does this need to be? In other words, how sensitive is the data you're sending? If it's super sensitive, there's no question you'd want HTTPS. Otherwise you could just send a token to verify along with the data? Keep in mind that without HTTPS this will all be susceptible to sniffing and MITM.
I'm not sure how this compares to HTTPS for resources usage (horsies), but maybe something like TOTP/HOTP? https://github.com/Spomky-Labs/otphp.
-
Jul 19th, 2016, 07:24 PM
#3
Re: prevent unauthorized posting to a php page
yea, it's not "mission critical", but I don't like the idea of leaving my kimono wide open so anyone can see my bits. I was thinking about running the UTC time through a function and sending the time value and the output, then verify it on the PHP side with the same function. Kind of like a crc with a custom polynomial or something. TOTP/HOTP is new to me so I'll take a look and see if I can make it fit.
thanks
edit come to think of it, I probably could just crc the content with a custom poly and send that. That's probably what you meant by a token yea?
Last edited by kebo; Jul 19th, 2016 at 07:30 PM.
Process control doesn't give you good quality, it gives you consistent quality.
Good quality comes from consistently doing the right things.
Vague general questions have vague general answers. A $100 donation is required for me to help you if you PM me asking for help. Instructions for donating to one of our local charities will be provided.
______________________________ Last edited by kebo : Now. Reason: superfluous typo's
-
Jul 20th, 2016, 07:21 PM
#4
Re: prevent unauthorized posting to a php page
I wasn't referring to anything specific, just some value that could be used to authenticate the request as coming from a valid client.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote