From: David Mehler on
Hello,
I've got a custom app that interacts with a database. I want to use
something stronger than .htaccess to protect it and ssl is not
available as this is a shared host. There will be several user's
accessing this app and updating the database through it. What i was
thinking was giving each a unique username, password, and ID string,
which would be somehow used to compute a hash and if that would match
access could be granted. That's just a guess on my part, i'd
appreciate any suggestions.
Thanks.
Dave.
From: Robert Cummings on
David Mehler wrote:
> Hello,
> I've got a custom app that interacts with a database. I want to use
> something stronger than .htaccess to protect it and ssl is not
> available as this is a shared host. There will be several user's
> accessing this app and updating the database through it. What i was
> thinking was giving each a unique username, password, and ID string,
> which would be somehow used to compute a hash and if that would match
> access could be granted. That's just a guess on my part, i'd
> appreciate any suggestions.
> Thanks.
> Dave.

Since you're not going to go over SSL, then nothing you can do will be
stronger since it all flies out in plaintext over the internet.

Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
From: Nilesh Govindarajan on
On 05/23/2010 10:51 AM, Robert Cummings wrote:
> David Mehler wrote:
>> Hello,
>> I've got a custom app that interacts with a database. I want to use
>> something stronger than .htaccess to protect it and ssl is not
>> available as this is a shared host. There will be several user's
>> accessing this app and updating the database through it. What i was
>> thinking was giving each a unique username, password, and ID string,
>> which would be somehow used to compute a hash and if that would match
>> access could be granted. That's just a guess on my part, i'd
>> appreciate any suggestions.
>> Thanks.
>> Dave.
>
> Since you're not going to go over SSL, then nothing you can do will be
> stronger since it all flies out in plaintext over the internet.
>
> Cheers,
> Rob.

Yeah I also agree with it. If you really want the things to be secure
then use SSL.

--
Nilesh Govindarajan (निलेश गोविंदराजन)
Twitter: nileshgr
Facebook: nilesh.gr
Website: www.itech7.com
From: Adam Richardson on
On Sun, May 23, 2010 at 12:40 AM, David Mehler <dave.mehler(a)gmail.com>wrote:

> Hello,
> I've got a custom app that interacts with a database. I want to use
> something stronger than .htaccess to protect it and ssl is not
> available as this is a shared host. There will be several user's
> accessing this app and updating the database through it. What i was
> thinking was giving each a unique username, password, and ID string,
> which would be somehow used to compute a hash and if that would match
> access could be granted. That's just a guess on my part, i'd
> appreciate any suggestions.
> Thanks.
> Dave.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
If you really, really can't get to SSL, you could develop the client-side
code to use a java applet as a proxy, and the applet could handle the
encryption (I've only done that once and it wasn't worth the work in the
long-run, I should have just switched hosts OR clients.) You could also
pull off the same effect with a FLEX application, too.

And, if you really, really wanted to, you could even develop an ajax
application that encrypted the traffic before sending and decrypted any
incoming traffic using a hash of a nonce provided by the server and the
password of the user (the server-side PHP would perform the complimentary
actions.) However, this would be quite a bit of work, and I'm hoping that
you can talk someone into a hosting upgrade :)

For reference, here's a javascript implementation of AES I've used in the
past (there's a port of the corresponding PHP to use linked on the same
page):
http://www.movable-type.co.uk/scripts/aes.html

But, again, I hope you can just switch to a host with SSL.

Adam

--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
From: David Mehler on
Hello everyone,
Thanks. I'm looking in to the ssl, I would like to use it, and it does
seem much less work than the alternative.
Thanks.
Dave.


On 5/23/10, Adam Richardson <simpleshot(a)gmail.com> wrote:
> On Sun, May 23, 2010 at 12:40 AM, David Mehler <dave.mehler(a)gmail.com>wrote:
>
>> Hello,
>> I've got a custom app that interacts with a database. I want to use
>> something stronger than .htaccess to protect it and ssl is not
>> available as this is a shared host. There will be several user's
>> accessing this app and updating the database through it. What i was
>> thinking was giving each a unique username, password, and ID string,
>> which would be somehow used to compute a hash and if that would match
>> access could be granted. That's just a guess on my part, i'd
>> appreciate any suggestions.
>> Thanks.
>> Dave.
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> If you really, really can't get to SSL, you could develop the client-side
> code to use a java applet as a proxy, and the applet could handle the
> encryption (I've only done that once and it wasn't worth the work in the
> long-run, I should have just switched hosts OR clients.) You could also
> pull off the same effect with a FLEX application, too.
>
> And, if you really, really wanted to, you could even develop an ajax
> application that encrypted the traffic before sending and decrypted any
> incoming traffic using a hash of a nonce provided by the server and the
> password of the user (the server-side PHP would perform the complimentary
> actions.) However, this would be quite a bit of work, and I'm hoping that
> you can talk someone into a hosting upgrade :)
>
> For reference, here's a javascript implementation of AES I've used in the
> past (there's a port of the corresponding PHP to use linked on the same
> page):
> http://www.movable-type.co.uk/scripts/aes.html
>
> But, again, I hope you can just switch to a host with SSL.
>
> Adam
>
> --
> Nephtali: PHP web framework that functions beautifully
> http://nephtaliproject.com
>