I am writing a PHP script that responds to GET requests from an iPad, and then makes an appropriate database query, returning a JSON. for example:
http://mydomain.com/index.php?param1=xxx&key=afdS31PsR
is this (key = xxxxxxxxx) a secure way to stop people from accessing my database information? I feel like it would be except it would be hardcoded into the script – so it would never change.
A better way would be to hash the key value, and compare to the hash in the database of the key word. But even still, unless the iPad sends the key and request over HTTPS, it still seems insecure. Any ideas on how to do it? Perhaps there is a nice way to set up public/private key encryption with a PHP script? I’m very inexperienced with cryptography and authentication, so bear with me.
For a really tech savvy user, there’s no method of sending the key (unencrypted) that’s really safe.
However, sending it as a GET request is generally a bad idea, and hard-coding the value is an even worse idea.
You should definitely set up a database of “per-user” hashes and compare the hashed key to the stored hash in the database. If you must use GET, then so be it, but POST would be the way to go with authentication.
If you’re not using HTTPS, then you’re really at the mercy of whoever is snooping the data over the air no matter which way you do it, but at least POST would keep it secret from people looking at the URL.