MySQL, PHP, and ProBoards

[proseth]

Note: I consider myself moderately well-versed in PHP, SQL, and JS. I am very familiar with most of the methods and syntax.

What do you people think is the best way to (ALLOW A USER TO) securely send info to a MySQL database from a ProBoards page.

For the purpose of this question, I'll use this as an example. Say I'm trying to make a script that allows users to post status updates, like Twitter. Getting the submitted data from the database is easy, with or without AJAX. Submitting data is easy too, but the problem is is that the info they send can easily be tampered with if I want to send pb_username (for example) along with their input.

1) I could pass the values in a URL query string. I.E.: localhost.local/submit.php?u=admin&m=the%20message
This could obviously be taken advantage of if the user knew the URL (which they could find from viewing page source). This method is out.

2) I could pass the info using forms with hidden inputs. But it is easy to edit hidden form fields with Web Developer Toolbar or even a simple location bar JS function.

So I'm kind of at a loss as to what I should do to make this secure. Encrypting (base 64) is a possibility, along with Packer'ing the script, but even that method isn't infallible.

[xcessive]

"POST".

No method is infallible, if you don't want something hacked, don't make it.

[proseth]

Dec 1, 2010 17:27:13 GMT -8 xcessive said:

"POST".

No method is infallible, if you don't want something hacked, don't make it.

Of course using a POST form would work, but to pass the sensitive information (like pb_username), I'd be using hidden form fields, which anybody could very easily manipulate. It just needs to be secure enough to prevent this.

[xcessive]

Dec 1, 2010 18:09:41 GMT -8 @proseth said:

Dec 1, 2010 17:27:13 GMT -8 xcessive said:

"POST".

No method is infallible, if you don't want something hacked, don't make it.

Of course using a POST form would work, but to pass the sensitive information (like pb_username), I'd be using hidden form fields, which anybody could very easily manipulate. It just needs to be secure enough to prevent this.

True. You could go with an encrypted $_REQUEST. The only problem is urls can be saved, bookmarked etc.

Encrypted (using JS) data on a hidden form field should do.

[Charles Stover]

JavaScript is open-source. You can't do anything in it that can't be sniffed or edited. All the user has to do is put:
javascript:pb_username="look-im-someone-else-now";void(0);
in their address bar, and no matter how you encode your script data, it will send erroneous information.

It's just something you have to deal with and hope for the best. My shoutbox uses pb_username and has only ever had one person screw with it, and they stopped when I asked them to. Until ProBoards makes an API that contains something along the lines of unique_id that you can send to the server to get their information, there is literally nothing you can do to prevent faked information between two different servers.

[xcessive]

Dec 2, 2010 11:10:02 GMT -8 Charles Stover said:

JavaScript is open-source. You can't do anything in it that can't be sniffed or edited. All the user has to do is put:
javascript:pb_username="look-im-someone-else-now";void(0);
in their address bar, and no matter how you encode your script data, it will send erroneous information.

It's just something you have to deal with and hope for the best. My shoutbox uses pb_username and has only ever had one person screw with it, and they stopped when I asked them to. Until ProBoards makes an API that contains something along the lines of unique_id that you can send to the server to get their information, there is literally nothing you can do to prevent faked information between two different servers.

Yes, currently its more a matter of damage control than preventation.

[Jordan]

I had the same problem when I started making a RPG for Proboards a while. Once I realized that I couldn't really prevent someone from sending in fake information I just stopped coding it. Hopefully we will get an API in v5.

[iDunk]

Theoretically you could ask the user to create an account on your server, and ask that they have a publicly visible email in their forum profile (at least temporarily) and then parse the profile page to verify that email. I too would love to see an API come out though if even just for authentication purposes. Although, I'm not sure how much that'd breach TOS/unwritten TOS.

[Charles Stover]

Unless they send an encrypted cookie to the server with their account ID, e-mail verification isn't going to stop fake user IDs from being sent. Not to mention the problems that arise with it, such as forced public e-mails, the hassle of registering on some other site, the same person using the program for multiple sites having to register on a per-site basis, the fact that it breaks TOS to connect to ProBoards server when information isn't displayed (although I think they said it's allowed now if in excessively small amounts).

And I don't think an API would breach any TOS assuming it only gives the pb_username, which is already public.

ProBoards:
var pb_username = "GAMEchief", pb_unique_id = "aB2D3F";

Your JavaScript:
Connects to mysite.com/my-program.php?id=aB2D3F&site=support.proboards.com

Your PHP:
Connects to support.proboards.com/get-username.php?id=aB2D3F

get-username.php:
GAMEchief

Since pb_unique_id isn't public, it couldn't be faked.

[proseth]

I don't understand. Does the example you (Charles) provided above exist or is it what you would like to see in the future, or is it your own script? As far as I can tell pb_unique_id is non-existent

[Jordan]

It's just something he wants to see since pb_unique_id would be private and therefore would provide a secure way to transfer data between your server and proboards.

[Code Dragon]

No code is unhackable, sadly. I've worked a little with connecting to SQL databses via JavaScript, I think it's cool but yes there are some limitations that we can't work around right now, which is one reason I'm really waiting for the v5 thing.