php – Android, how to secure in JSON?

Question:

I use Volley to make a POST request to a url that returns user data… But you can see this data, creating a simple html form with action set to url 192.168.0.101/projeto/user.php . Ai shows all the JSON… how to prevent the guy from seeing this data without harming the app when listing this data in recyclerview? NOTE: I used header("Location: www.teste.com"); and redirects without showing JSON to possible "hacker", BUT doesn't list data in app

PHP:

<?php
require_once('config.php');
require_once 'classes/BD.class.php';
BD::conn();
if(isset($_POST['user']) && $_POST['user'] != ""){
    $user = (int)$_POST['user'];
    $searchPhotos = BD::conn()->prepare("SELECT * FROM `photos` WHERE `id_user` = ? ORDER BY `id` DESC");
    $searchPhotos->execute(array($user));
    $resultPhotos = $searchPhotos->rowCount();

    $searchQtdFollowers = BD::conn()->prepare("SELECT id FROM `follows` WHERE `user` = ?");
    $searchQtdFollowers->execute(array($user));
    $resultFollowers = $searchQtdFollowers->rowCount();

    $searchQtdFollowing = BD::conn()->prepare("SELECT id FROM `follows` WHERE `follower` = ?");
    $searchQtdFollowing->execute(array($user));
    $resultFollowing = $searchQtdFollowing->rowCount();         

    $array = array(
            "photos" => $resultPhotos,
            "followers" => $resultFollowers,
            "following" => $resultFollowing
            );
    $result[] = array_map("utf8_encode", $array);
    while($data = $searchPhotos->fetch(PDO::FETCH_ASSOC)){
        $array = array(
                "photo" => PATH.$data["photo"],
                "date_creation" => date('d/m/Y', strtotime($data["date_creation"]))
                );
        $result[] = array_map("utf8_encode", $array);
    }
    header('Content-type: application/json');
    echo json_encode($result);
}
?>

Answer:

There are several security methods for this case, however a basic method, which is the least to do, would be to use an encrypted key at both ends of the connection. In this first case, using HTTP Get request and passing as parameter your key through your application. Example:

http://192.168.0.101/projeto/user.php?chave=mistersatanderrotoucell

In this case, your application would send encrypted data through the chave parameter, considering that mistersatanderrotoucell would already be encrypted data.

To retrieve this value in PHP, we use the following lines of code:

echo $_GET['chave'];

Therefore, it would be necessary to make a verification confirming whether the received key is correct or not. Thus:

$minha_chave = mistersatanderrotoucell;

if($_GET['chave'] == $minha_chave){
    //exibe json
} else{

    echo "chave incorreta";
}

Or, as you are already using HTTP POST to receive the value of the user attribute, I would give you one more condition to receive the 'key' like this:

if(isset($_POST['user']) 
&& $_POST['user'] != "" 
&& $_GET['chave'] == $minha_chave){
    //Exibe json
} else{
    echo "chave incorreta";
}

POST is more secure than GET because information passed by users is never visible in the URL.

It will depend on your creativity. Good luck!

Scroll to Top