I just created my first MVC webapp and noticed that I need to store my users in the ASP Schema tables now. I also have an Android app that must authenticate using the same list of users.
Before MVC, I was able to simply post something to a webform and have it check the list of usernames and password for a match (encrypted of course), then the form would return the requested info. How would I do this using MVC?
Otherwise, could I just change MVC's authentication to use my own user tables?
You don't need to store your user details in default ASP schema tables. You can create custom membership provider or you can do it without custom membership provider as well.
You can still POST to your controller action the same information and continue to execute the same logic you were using.
Related
I am building a series of Android Apps that will be used by hotels to help with their operation. The backend for the apps to access the database is written using the SlimPHP microframework. Once I get the system is complete, my customers will be assigned a database for their information. I need a way of configuring Slim to use the assigned database name. The way I have it planned is when the customer signs up for an account with me, I will have a script that will create an account for the customer to include a database. The database with be identical from customer to customer. I just need a way to set SlimPHP to use the correct database. I was thinking of have the database name saved in android, and have that name sent to Slim from the app with each request. I am not sure how/if Slim can do it. Is it possible, or will I need to create my own API from PHP for my apps? If I need to provide more information, please let me know. Thanks for any help. Troy.
trying to build an Android and Web client that has Parse.com as a backend. User has to be authenticated first to log into the app. If someone gets hold of the Application keys, client keys etc. he can access the app without the authentication with Rest calls. How can this be avoided to restrict the Parse Query to return results ONLY with a user session? Looking for that security measure.
All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody.
Parse lets you control the data read permissions ONLY via Class Level Permissions(CLPs) and Access Control Lists(ACLs). If you think these solutions cannot give you the security measures you are looking to implement, you have to disable the public read access to your data completely and implement your own Cloud Functions to retrieve the data from server. This way, you can test the user credentials, permissions, etc before returning any data.
I am learning how to build android apps. I'm building my first app using PHP and Java, i'm passing the values from Java to PHP using parameters.
localhost/myfile.php?id=GET ID FROM JAVA EDITBOX&name=GET NAME FROM JAVA EDITBOX
I'm inserting and updating using this method.
But i'm afraid about my app security, how can i hide my links? I would like to insert some security technics to prevent a common user from having the access to my links, and insert random data into my database.
I'm sorry about that noob question, but i would like to read more about that.
how can i hide my links
No way because APK file can be de-compiled
I would like to insert some security technics to prevent a common user
from having the access to my links, and insert random data into my
database.
You are allowing Un-authenticated users to insert the records??? If you are doing this, you are doing it wrong (I think)
You should allow Authenticated Users to Insert/Delete/Update records and
Un-authenticated users can Load data only.
Some Security Practices:
Authentication (Login) / Authorization (Permission)
Don't trust any data sent from client --> Data Validation at Server side is required
Use Asymmetric encryption - Public/Private key
Encrypt your data at client side using Public key
Decrypt the data at Server side using Private key
Apply Digital Signature OR MAC (Message Authentication Code) to make sure your data is Integrity & Authentication
Https used
I currently have an Android app which uses 3 SQLite database tables and I want to store this data on the cloud in my Java-based GAE app. It will be used as backup and also, the user will be able to view it in their browser upon logging in. The user is entering data into the Android app so all the data in the 3 tables belongs to that user. Is there a recommended way of storing this type of user-specific data? Should I store user email with each entity in order to identify it or have a User entity as the parent and all the entities belonging to this user as the children? Are there any advantages of using a parent in this case?
It all depends on how many records you have for a single user, how frequently these records are updated, and how you access this data (what kind of queries you need, etc.) So there is no simple and definitive answer to your question.
Most likely, you will be fine with either approach unless you have thousands of records per user and they update them every few minutes, at which point you may run into some limitations.
Note that you don't need to include an email address to identify each record. Typically, you create a user entity first, and then you use an id of this user entity (a Long) to identify all other entities that are related to this user.
My two cents.Unlike Sqlite,Google App Engine is not a relational database so saving your SQlite data to GAE won't be a straightforward task.However, you could create an app on GAE where you use the useremail from ur app as the Entity key.You can then retrieve the user specific info based on this key.All(well,the most important thing)you need to do in this case is find a way to send that data from your app to GAE.
I'm a web developer who is moving into creating mobile (iOS/Android) applications.
As such, what I'm trying to understand is how should I architect the mobile application to access (post/update/delete) data stored on a central server.
For illustration purposes, let's say I am creating a mobile Recipe application (named "MyRecipeApp"). Some recipes I want to share with other recipe users of MyRecipeApp, and some recipes I want to keep private to myself.
In order to share recipes, all recipes (both private and sharable) are stored on a centralized (server) database and the MyRecipeApp accesses that database to fetch that information.
As such, I have a few questions:
With MyRecipeApp, how do I access the database? Do I make my database publicly accessible to that MyRecipeApp can talk to the database? If so, that seems insecure.
Do I hard-code SQL into MyRecipeApp (e.g. SELECT * FROM RECIPES WHERE USER = "John Smith") to access the database to fetch recipes? If so, that seems insecure in the sense that someone could just hack my mobile app and change the SQL to fetch any information.
Do you send the users username/password with each fetch to the database? If so, how are you encrypting the traffic between the database and MyRecipeApp.
What else am I not thinking about in how I should be architecting a mobile application?
Connect through an API (perhaps restful HTTP API).
Don't hard code SQL. Instead, make API calls, passing parameters.
Yes, send authentication information with every request and use HTTPS, or send username and password on first request only and get a session token and use that on subsequent requests, but still use HTTPS.
Consider sending and receiving data in JSON format.