Win a copy of Transfer Learning for Natural Language Processing (MEAP) this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Paul Clapham
  • Devaka Cooray
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Liutauras Vilda
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Piet Souris
Bartenders:
  • salvin francis
  • Carey Brown
  • Frits Walraven

Discussion: PHP JSON User can update File

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I created a website where I read in a JSON file from my web server. I use PHP to read it, update (edit/add) the JSON file. I was wondering what keeps other developer from reading that same JSON file and update it on their own and then change my file?

I guess I can put the JSON somewhere else on my web server, but would anyone be able to find it and do as I stated above?

If the JSON filename is stored in PHP, can someone read it?
 
Marshal
Posts: 25438
65
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Correct me if I'm wrong, but doesn't PHP run on the server side? If so, then some other developer would have to be able to run something on your server. Regular server security ought to prevent that.
 
Johnathon Anderson
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to prevent anyone else to edit the json. If they have the json file, then they can edit it, no? For example, if the json is www.website.com/file.json, if wouldnt you be able to type in that same file and be able to edit the file like I could?

 
Paul Clapham
Marshal
Posts: 25438
65
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you configured your server so that the file could be downloaded, then somebody else could see it, yeah. I don't know why you would do that -- but you'd really have to do some work to allow that other person to upload the modified file to your server. Like I said, standard server security would prevent that.
 
Johnathon Anderson
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I create a php login with sql in front of the JSON editing web app, does that help?

Im not sure I understand what you mean by standard server security
 
Paul Clapham
Marshal
Posts: 25438
65
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Johnathon Anderson wrote:If I create a php login with sql in front of the JSON editing web app, does that help?



This is the first time you have mentioned a "JSON editing web app". Up to now all we knew was that you had a PHP application which reads a JSON file from your server.

So, now that we are discussing the actual question, could you elaborate on this web app a bit? I don't understand the purpose of a web app which allows you to edit a file on the server -- that is, I don't know why you need a web app for that.
 
Johnathon Anderson
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry for any confusion.

The main purpose of the web application is to update a JSON file.

That JSON file will be used in a Android and iOS application.
I may need to update the information on the JSON, and the purpose of making a web app is to allow myself (or the other developers on my team) to make changes on the JSON which will in return change the information on the Android/iOS game.

Think of this as Firebase, but the JSON is on MY web server, and not with Google. The JSON contains names/numbers/ids/etc, etc. Once they change within the JSON, they will change within the app on the device as soon as it gets refreshed. I plan to do this for a lot than just names.... so I need to make sure that only myself (or my devs) can access and change this information.

Lets think of the json file being stored here:

www.website.com/file.json. If this was a think, you can write a pretty simple PHP script to parse through the JSON like so:



I can then create this to go through the array of contents.



I dont need to upload the code to save this information back in the JSON, I think you get the idea. If you, being a PHP developer knew this exact code, you would be able to take my json file (www.website.com/file.json), write the same script, and change it from YOUR code on MY server. I am trying to make it so NO ONE can change this JSON other than the people logged in to the api backend.
 
Paul Clapham
Marshal
Posts: 25438
65
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think PHP is necessary for the bad guy. If there's a URL where you can go and download the file so that you can change it and upload the changed version, then the bad guy can go to that URL etc etc. It sounds like going to your URL causes some PHP processing to happen on your server, but the bad guy doesn't have to have PHP as far as I can see. So yeah, you'd want to password-protect that URL.
 
Johnathon Anderson
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you have the website, php is pretty much hidden and runs before the website loads. Is there anyway for anyone to know exactly where my json file is located without seeing my code?
 
Sheriff
Posts: 21920
106
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Security through obscurity is no security at all. You need to properly shield the JSON file, and can't expect it to be safe just because nobody knows how to find it.
 
Johnathon Anderson
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:Security through obscurity is no security at all. You need to properly shield the JSON file, and can't expect it to be safe just because nobody knows how to find it.



And that's what I'm getting at. Can you kindly point me in the direction on how to achieve that?
 
Rob Spoor
Sheriff
Posts: 21920
106
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A simple .htaccess file (or directly in Apache's configuration) can already give you a lot of control over what internal files can be reached from the outside. PHP isn't my main language so there are probably better ways though.
 
Are we home yet? Wait, did we forget the tiny ad?
Two software engineers solve most of the world's problems in one K&R sized book
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic