Power By 专否社区

ask for a faster and more secure webservice using php and vfp

Go To StackoverFlow.com

0

I'm not sure whether these are programming questions, but I'm sure lots of new programmer like myself has been asking the same questions.

I've created a webservice to update data to a vfp free tables using php.I use VfpOledb to connect php and the tables. Many client use this webservice to update their data to several tables in the server. Example : user A update to table t_sales in directory X, user B update to table t_sales in directory Y, user C update to table t_sales in directory Z.

The questions are :

  1. which one is better/faster and why : creating a different php files (webservice) for a different user, or creating one php file with a switch case part inside to determine the datasource location?

  2. which one is better/safer and why : send the datasource location as a parameter from the user, or store the datasource location in the php file?

Many thanks

2012-04-05 02:22
by wong chung yie

1

By datasource location, I will assume you are referring to the DB server and table. Assuming the DB server and table is yours, and you want to restrict which tables users have access to, you should determine the db info internally.

Web services should provide an API that are accessed like "/myservice/update?name=x&email=y&key=32453457830957834", with only the required bits of information being:

  • the data for inserting/updating
  • search/filter parameters
  • security tokens or api keys

This makes it easy to use your web service, and makes it secure against injection attacks as long as you escape the input. (If you allow the table to be defined as a parameter, you can't escape it, and then you, and your users, are at the users' mercy.)

As for performance, the logic of deciding how to access the DB is negligible for most applications, compared to the time it takes for a DB transaction.

2012-04-05 02:31
by bdares
Thank you for the clear and informative reply. Would it make a difference if the clients also using my desktop apps? I mean they are using an vfp app to do transactions. when they hit 'save', the apps send the data through the webservice. So the table location is sort of 'hardcoded' in the apps. Is there a way the clients still can figure out the table location - wong chung yie 2012-04-05 02:46
If the program is running on their machine, they can decompile it and analyze it and spoof it. You can't trust the client. Ever - bdares 2012-04-06 04:52
sorry for taking a long time to reply. Actually, my concern is not my clients. Is it possible for anyone to 'eardrop' the data sent via the internet and get the parameters? thank you for the reply : - wong chung yie 2012-04-09 01:55
Also quite possible, unless you're using an encrypted connection such as SSL - bdares 2012-04-09 02:56
Thank you for the reply. It really helps me understand. I guess I'll keep the table location in the PHP. Still, I'll look into the SSL setting for my XAMPP. Thank you and God bless : - wong chung yie 2012-04-09 08:48
Ads