Hide php echo from being browser viewable?

I’m not even sure it can be done. As a Lua newb, I’m really hurt’n with my php, although I’ve been able to stumble around and get a few things done.

I make a network.request to a php script on the server which will echo a variable/ respone back to the device.

I don’t like it that when the URL of the script is input in a browser, the echo $message is displayed on the screen in plain text. I can’t figure out how to hide/mask the echo from being viewed in a browser.

Does anyone know how to secure the echo $message so the data is passed, but is not browser viewable?

I’m stumped, Nail [import]uid: 106779 topic_id: 28667 reply_id: 328667[/import]

I am not sure what you mean, but you could use this:

[code]
local function networkListener( event )
if ( event.isError ) then
print(“Some error”)
else

print(event.response) --Do whatever with this value from the php script output…

end
end
local myID = 12;

network.request( “http://www.mydomain.com/page.php?id=” … myID, “POST”, networkListener)
[/code] [import]uid: 81188 topic_id: 28667 reply_id: 115574[/import]

@jkrassman, thanks for the attention.

I like how you’ve added the “myID” as a password paramater to the request, I’ve done that and certainly adds an extra layer of security.

I’ve got the Corona network.request working nicely, everything works as expected.

The issue is when the network.request URL and param is pasted in a web browser on my PC or MAC, the php script outputs the echo to the web browser and displays the echo as plain text on the monitor.

I realize someone would have to know the php script’s URL in order to enter it into the PC web browser in order to view the echo result. I’m concerned because I don’t really know how secure the URL in my code is once it is compiled into an app binary.

This is a possible security/ pirating issue using network.request and php scripts, I’m not sure how “hack proof” production apps are. I don’ know if apps and the URL’s in them are really secure, so I’d like to mask the php scripts output from being web browser viewable if the php script is obtained by someone and entered into a browser address bar. [import]uid: 106779 topic_id: 28667 reply_id: 115595[/import]

There are several of approaches and one is to check what type of browser the user i using and what os he is running from.

You could use this: http://chrisschuld.com/projects/browser-php-detecting-a-users-browser-from-php/

Then if the os is different from iOS and the web browser is different from all - do your response code. I guess that there are more ways to achieve some protection. One other way would be to create your own HTTP User-Agent header and pas that along with all the other data. But I am not sure if that is possible with Corona?

<?php
echo $\_SERVER['HTTP\_USER\_AGENT'] . "\n\n"; $browser = get\_browser(null, true); print\_r($browser); ?\> Joakim [import]uid: 81188 topic\_id: 28667 reply\_id: 115596[/import]

Yes, you can pass your own header:

A table that specifies custom HTTP headers or body to include in the request. To specify custom headers, attach a headers table that specifies header values with string keys. To specify a custom body message, attach a body property to this table whose string value is the HTTP body.

http://docs.coronalabs.com/api/library/network/request.html

So then you can build your own header and send that data to the php page. Look at the header on the webpage and then send the data if the header data matches your own designed header.

Joakim [import]uid: 81188 topic_id: 28667 reply_id: 115597[/import]

And one more approach could be to use MD5 in your app and on your web server,

http://developer.coronalabs.com/reference/index/cryptomd5

this combined with https would be the easiest and best protection I guess

Joakim [import]uid: 81188 topic_id: 28667 reply_id: 115598[/import]

Actually the simple approach is to use base64 encoding. At least that way your output would be obscured MD5 is a one way encryption which would make the data unusable. base64 is of course easily decodable but it would at least hide it from people snooping on the line.

The other thing is to take that base64 output string and do some other basic harder to guess encryption.

Keep in mind once you pass using base64 and start encrypting the data, you have to file the necessary export compliance paper work with the countries you want to sell your app in. [import]uid: 19626 topic_id: 28667 reply_id: 115606[/import]

Correct, MD5 is impossible to decrypt.

Joakim [import]uid: 81188 topic_id: 28667 reply_id: 115608[/import]

@jkrassman,

Again, thanks for the attention!

jkrassman wrote: There are several of approaches and one is to check what type of browser the user i using and what os he is running from.

I saw this script and thought it could be a viable option, just make echo $serverERROR as response I guess. I’ll look into it more thoroughly.

jkrassman wrote: Yes, you can pass your own header:

I’ll have to dig deeper into php for that, which certainly isn’t a bad thing. I have a conceptual understanding, but not verse enough to execute at this time. Not sure of the learning curve/time.

jkrassman wrote: And one more approach could be to use MD5 in your app and on your web server,

Since MD5 is a hash and cant’ be decrypted, it would have to reside in my lua code and be visible anyways I guess. I’ll probably not pursue this direction, unless I’m misunderstanding the concept.

I’ve got SSL setup, I’m thinking the best approach is to use the browser detection method you suggested first along with OS detection to deny access from a browser. Viewing from a simulator is unaddressed though.

I’m wondering if encrypting the URL in the network.request would be an avenue to pursue. Use the appID or a Secret Corona Key as an example, as a required key Corona uses to decrypt the URL internally with an special API, before it sends the request out to the server so it can be sent to the server.

This would be a great API/feature for Corona to have IMO newb opinion. It would mask all network.request URL’s in the lua code if the binary was hacked, adding increased security for everyone, especially where sensitive data transmission is concerned. It would probably add very little overhead, but I’m way out of my league here.

Thanks for the suggestions again, I’m surprised how little discussion there is about this topic actually. Are most just “hoping” ?

Thanks Nail! [import]uid: 106779 topic_id: 28667 reply_id: 115607[/import]

@robMiracle wrote: Keep in mind once you pass using base64 and start encrypting the data, you have to file the necessary export compliance paper work with the countries you want to sell your app in.

Hey Rob, thanks for joining in. I was actually going to request your thoughts in the lead post.

This is a little OT, but I’ve been thinking about export compliance and from what I understand, any use of SSL requires registration at a minimum anyways, so I’ll have to obtain export compliance. Not sure how to go about filing export compliance with other countries. I assumed I only had to register with the US.gov

What I haven’t seen addressed here or anywhere is how IAP plays into export compliance. It seems to me, ANY app that uses IAP should register for export compliance if sold beyond our borders, since apps connecting to the app store use base64 and a https connection. Am I wrong here, if so how?

[import]uid: 106779 topic_id: 28667 reply_id: 115609[/import]

Hi again, felt I wanted to test the header stuff and heres some code that works. A easy way to prevent people from viewing the page and no legal stuff to take care of.

Corona code:

  
local function networkListener( event )  
 if ( event.isError ) then  
 print("Some error")  
 else  
 print(event.response) --Do whatever with this value from the php script output...   
 end  
end  
  
  
headers = {}  
headers["User-Agent"] = "myIphoneApp"  
  
local params = {}  
params.headers = headers  
  
network.request( "http://www.xxxx.se/test.php", "POST", networkListener,params)  

And the simple PHP page:

<?php <br>if ($\_SERVER['HTTP\_USER\_AGENT'] == "myIphoneApp"){  
  
 echo ("From my app");  
  
 } else {  
 echo ("Error 404: no such file.");  
 }  
?\>  

Joakim [import]uid: 81188 topic_id: 28667 reply_id: 115612[/import]

jkrassman wrote: Hi again, felt I wanted to test the header stuff and heres some code that works.

I think I understand.
I like the Header solution to pass in the password better than the directly adding “myId” as a param to the URL.

With the Header method, there is no way to pass in the value "myIphoneApp"into the URL directly, is that right?

I’ll go play with this and see if I can get in.

Thanks Joakim, [import]uid: 106779 topic_id: 28667 reply_id: 115621[/import]

Joakim,

The Header works great, thank you very much for helping me out. It does exactly what I was looking for!

Hopefully, as I work with more php, I’ll actually understand how the header is being used and what it is doing. I think I have the concept, just don’t know the language/syntax.

Thanks Nail [import]uid: 106779 topic_id: 28667 reply_id: 115636[/import]

By no means take me as knowing anything about export compliance. When I’ve checked on it, I got really useless vague answers on the topic.

Though my understanding is using https: does not require export compliance. I know that user authentication does not require it.

I wish someone would come up with definitive answers that are explained in easy to understand terms.
[import]uid: 19626 topic_id: 28667 reply_id: 115668[/import]

@xnailbender,

Great that you think it is useful. Combined with a web server that has SSL it is totally secure.

PHP is an easy language to understand and I think it is the best. There are tons of scripts and classes out there that you could use. PHP syntax looks like javascript and it is easy to get the hang of. I assume that your pages will generate output from a database and yo can use mySql or MSSQL. I use both on my server depending on my needs. I prefer MSSQL but thats because the enterprise manager is ten times better then all others I have tried for mySql. As a patriot - i would have sticked to mySQL since it is a swedish product, but but…

I assume that you are gone parse data from the server, so then you could use Json on both ends - to get your data in a structured manner.

Joakim
[import]uid: 81188 topic_id: 28667 reply_id: 115672[/import]

Joakim wrote:I assume that your pages will generate output from a database and yo can use mySql or MSSQL

Now that I’ve got a server and a have got secure php URL’s :), I’m working on setup/learning mySQL/PHP and implementing some homegrown analytics for tracking app usage. Since all the programing I do to develop my app with Corona is new to me, the learning curve has been relentless over the last 6 months. In a way, building a app is the ultimate “game”, totally engaging and stimulating. I just hope I can afford to continue with the experience!

---

robmiracle wrote: Though my understanding is using https: does not require export compliance. I know that user authentication does not require it.

I wish someone would come up with definitive answers that are explained in easy to understand terms

+10 on that Rob!

This is a HUGE issue with almost “0” information available, including here at Corona Labs. IMO, there should be an accurate and full disclosure of export compliance requirements posted at the Apple Dev Portal and here at Corona. Who needs it, when they need it and how to do it. I believe a lot of Devs are in violation of the law and are oblivious of the fact.

From what I understand, not only does ANY use of SSL require registration, but even the capability of an App to use SSL encryption (doesn’t actually use it) requires registration. I believe that would mean ANY App built with Corona, because it has access to the SSL libraries, requires registration.

I am in the same boat as you, I’m certainly NOT an expert on export compliance, just doing my best to traverse a very grey and undocumented area of an industry I’m attempting to participate in. Up until a few weeks ago, I was completely ignorant that export compliance registration even existed. Any help and clarification from anyone would be much appreciated as I’m attempting to error on the legal side of my discoveries/opinions. [import]uid: 106779 topic_id: 28667 reply_id: 115677[/import]