VBNET PHP and security

[rafhelp]

Ok first questions waht do a/indie developers b/professional vb.net developers use to protect their exe's from decompiling hacking etc..

What software is there?

Second question:

When sending data to a PHP script using vb.net httpwebrequest (GET MEthod) how safe is it. I assume anyone with a sniffer installed can see all the links going out from their pc and they can catch our urls and get the data/passwords form them? I use a method where the PHP script requires a unique password ("&skey=mykey") so the password sent form the vb.net app has to match the one in the script, BUT if anyone got the URL going out they would then have that password as its in the URL and then they could manipulate the PHP and abuse it right?

So whats the best way to try and make sure the PHP script is only executed when its recieved data from that specific vb.net app and not if entered by a hacker in another program or browser

[wakawaka]

I'm not expert in this area, but obfuscating the code is pretty much all you can do. If someone REALLY wants to get to your code, they will be able to with time and skill. If you think about it, how can you truly protect it? If you encrypt it, you would need an application that can decrypt it. If that is the case, that library could be decompiled and then possibly yours. Security through obscurity is the best I have seen since even if the decompile it, it wouldn't make sense easily.

The web is open in nature, the best way would be to use SSL to encrypt the data from client to server and vise versa. No matter what, if the data isn't encrypted they can get the info and use it themselves. There are measures you can take, like creating a unique session GUID and get the public IP, but it is possible to spoof and IP and copy the GUID.

[JuggaloBrotha]

Ok first questions waht do a/indie developers b/professional vb.net developers use to protect their exe's from decompiling hacking etc..

What software is there?

Second question:

When sending data to a PHP script using vb.net httpwebrequest (GET MEthod) how safe is it. I assume anyone with a sniffer installed can see all the links going out from their pc and they can catch our urls and get the data/passwords form them? I use a method where the PHP script requires a unique password ("&skey=mykey") so the password sent form the vb.net app has to match the one in the script, BUT if anyone got the URL going out they would then have that password as its in the URL and then they could manipulate the PHP and abuse it right?

So whats the best way to try and make sure the PHP script is only executed when its recieved data from that specific vb.net app and not if entered by a hacker in another program or browser

Given that with enough time & resources absolutely nothing created can't be hacked (ie everything digital can be hacked) so knowing that one of the questions you have to ask yourself with any app is "How important is it if someone does figure out how to get around your application?" Depending on the answer to that question, you should easily be able to determine how much effort should be put into securing it.

Application security really isn't about making your app so secure that no one can break into it, it's more about "how difficult can I make it for the hacker/cracker to make it not worth their time to crack the application". What I mean by that is unless your application can do something that's quite valuable to others to want to crack it to find out how, then odds are you need not worry about protecting your apps too much. That doesn't mean you should just leave your app unsecured at all, as you should, at the very minimum, at least obfuscate your deployed exe's and for web interaction use SSL if you're sending data to/from webpages, but keep in mind you should never send a username or password on the url's querystring like you're indicating in your post now, even if you're using SSL the URL is sent in plain text and will always be easily gotten, you'll want to post a page to the webserver at the url and that connection can be using SSL, the page of course would have a username and password on it & the response page returning a hash of the user's record ID or some other identifier would be returned, using SSL of course, then your app can use that identifier for future posts to the webserver, again try to avoid putting it in the url querystring.

It sounds like you might be trying to use that PHP page(s) as more of a WebService rather than a website, if so, you should consider making an actual WebService (Java's JSP and .Net both offer WebService projects) .Net uses asmx files on a webserver for services front ends so people with web browsers can't use the service like they can a php page.