0

I have 3 php files in phpmyadmin. 2 of them are private and one of them is public. When i go to public one's link, for example:

mysite./public_php_script.php

it shows this

{"teachers":[{"tid":"1","name":"g\u00f6ksel","surname":"biricik","password":"xxxx","tc":"12345678912","email":"[email protected]","avatar":"goksel.jpg"},{"tid":"2","name":"haydar","surname":"ayg\u00f6rmez","password":"xxxx","tc":"12345678913","email":"[email protected]","avatar":"haydar.jpg"},{"tid":"48","name":"Caner","surname":"Ayd\u0131n","password":"xxxx","tc":"12345678914","email":"[email protected]","avatar":"caner.jpg"},{"tid":"92","name":"deneme","surname":"denemesoy","password":"xxxx","tc":"12345678914","email":"[email protected]","avatar":"5292-1017.png"},{"tid":"93","name":"deneme2","surname":"denemesoy2","password":"xxxxx","tc":"12345678915","email":"[email protected]","avatar":"8446-1012.png"}],"success":1}

I want to get teachers database data. As you can see, those are all public and passwords are also public. What can i do? I did not connect android yet.

Should i not use this php script as public? But then how can i get this data inside private files?

Should i mask the password in sql as password in php script? But this time, how can i get to android?

Should i not get password but i need it to check if login is true?

Or for login part, should i use post method when i get login password to compare? This script will be public for android to reach it and will check and return true if correct but this time everyone can use this script to check passwords?

Improve this question
7
  • You need to use some mechanism to authorize the access to that resource, else anyone can connect to it and retrieve these passwords. Commented Apr 4, 2016 at 11:24
  • This mechanism in android side or as php script or in database? Commented Apr 4, 2016 at 11:39
  • On the php side, what you want to protect is the php, you don't want anyone to be able to retrieve that data without being authenticated. Commented Apr 4, 2016 at 11:42
  • but for android side, parsing json or posting username password methods will be same? stackoverflow.com/questions/28761558/… for example, same android code here? Commented Apr 4, 2016 at 11:50
  • 1
    Yes, you authorize in the php side, but you must call the authorization and propagate the result on the client (android). SOmething like this: Android asks authorization to php, php returns an auth token, android adds this auth token to all the subsequent calls, php verifies this token on each call. Commented Apr 4, 2016 at 11:55

1 Answer 1

Reset to default
0

Instead of getting password from server send credentials to server for verification. Send username and password to server to check if it is correct or not. After verification of username and password generate a session key for this user. Which will be saved in android application and application will use it for further communication e.g for adding, retrieval, updating and deletion of records.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This script will be public for android to reach it and will check and return true if correct but this time everyone can use this script to check passwords?
Apply a limit for trying wrong password and after limit exceeds take necessary action.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.