Web request to php to mysql secure data transfer

Hi there,

So I've made many login and register apps that pass data back and forth from app to database and database to app but I'm not happy with the way that I'm doing it.
The thing I am not happy with is the security of the data. to me, it seems too easy to get data from the simple echo in the PHP script. this is an example of both scripts:

Code (CSharp):

1. <?php
2.  
3.  
4.   $severname      = "";
5.   $sever_username = "";
6.   $sever_password = "";
7.   $dbname         = "";
8.  
9. $Email  = $_POST["emailstring"];
10.  
11. // Make Connection
12. $conn     = new mysqli($severname, $sever_username, $sever_password, $dbname);
13. //Check Connection
14. if (!$conn)
15.     {
16.     die("Connection Failed. " . mysli_connect_error());
17.     }
18.  
19. $sql = "SELECT * FROM Users WHERE Email = '" . $Email . "'";
20.  
21.  
22. $result = mysqli_query($conn ,$sql);
23.  
24. if(mysqli_num_rows($result) > 0)
25.     {
26.         while($row = mysqli_fetch_assoc($result))
27.         {      
28. echo "|Company_Name:".$row['Company_Name']."|Email:".$row['Email']."|Name:".$row['Name']."|Surname:".$row['Surname']";
29.        }
30.    }
31.    else {
32.        echo "No Data";
33.    }
34.  
35. mysqli_close($conn);
36.  
37. ?>

Code (CSharp):

1.    IEnumerator Get(string Email)
2.     {
3.  
4.         WWWForm form = new WWWForm();
5.  
6.         form.AddField("emailstring", Email);
7.  
8.         UnityWebRequest www = UnityWebRequest.Post("", form);
9.         www.timeout = 10;
10.         yield return www.Send();
11.  
12.         if (www.isNetworkError)
13.         {
14.             Debug.Log(www.error);
15.             if (www.error == "Request timeout")
16.             {
17.                 ErrorText.text = "Request Timeout Please Try Again";
18.             }
19.             else
20.             {
21.                 ErrorText.text = "Error Please Try Again";
22.             }
23.         }
24.         else
25.         {
26.             ErrorText.text = "";
27.             wwwText = www.downloadHandler.text;
28.             Debug.Log(wwwText);
29.  
30.             if (wwwText != "No Data")
31.             {
32.                 //Login
33.                 ErrorText.text = "";
34.                 LoadingGB.SetActive(false);
35.  
36.                 PlayerPrefs.SetString("Namestring", GetDataValue(wwwText, "Name:"));
37.                 PlayerPrefs.SetString("Surnamestring", GetDataValue(wwwText, "Surname:"));
38.                 PlayerPrefs.SetString("Emailstring", GetDataValue(wwwText, "Email:"));
39.                 PlayerPrefs.SetString("Company", GetDataValue(wwwText, "Company_Name:"));
40.             }
41.         }
42.     }
43.  

So what I'm asking is how do you secure the data, am I missing something, or is there a third-party app or protocol between unity and my database that can pass data back and forth more securely?

Any help or suggestions would be great.

 

Well, yes, your API design does not have any

In general everybody on the internet can hit your http endpoint and pass any kind of data to it. So it's up to you to decide how to process the data, what requirements the user should have in order to get the information.

So where's your registering or login related code then? Does the user account has a password attached to it? So you should check the credentials before returning any sensitive data and error out in case the check fails. Hopefully if you implement user accounts yourself, you have read a recent security guideline. (about hashing passwords, how to salt and pepper the password properly, https, ...)

Currently you don't work with sessions at all. There's no need to use php sessions, but it's a common thing to use so you don't have to transmit the username and password with each request.

I'm not sure what exactly you expect from us. We have no idea what your app is actually about or what kind of login methods you may want to support. Logging in with third party services like google using webtokens is possible, but you would need to read up on a lot of documentation. There are countless ways how to pull something like that off. Maybe you can be more precise about what you actually want to do? Do you have actually planned your app and what features you need / want?

Just to make that clear: managing user accounts and doing it right is not an easy task. There are many dos and dont's and many different ways to authenticate against your server.

 

And it is a MASSIVE legal liability, with the ridiculous fines and forfeitures specified in GDPR, CCPA and now the Brazil privacy laws for any mis-compliance... and that's only going to get worse.

Just say no to PII (Personally Identifiable Information) processing. It's not worth it.

 

I wouldn't worry about the ECHO. You have at least one quite serious security hole in your php code. Anyone could practically read anything from your database and (depending on your db user permission) delete all the data.

So, as a first step please PLEASE use prepared statements to construct your sql query. Right now you are inserting unfiltered user data right into your query. That's practically an invitation for any script kiddie to try some SQL injections.

 

Right! Though I always used the PDO class as it abstracts the underlying database and actually works quite similar.

while this is certainly true, sometimes there's no way around it, depending on what you want to do. Also depending on what "rules" apply to you, a lot of things can already count as personal information such as the IP address. Yes, there are usually different levels of "sensitivity" and some data require a higher level of security. Though nothing is 100% secure. So the usual approach is: prepare for the worst and hope for the best ^^.

 

Thank you for the prompt and valuable responses. The apps I have written in the past have been small-scale info apps where I was giving users access to temperature information, I was not holding any valuable user information nor anything anyone would want to hack, very low volume of users.

The app I am building out now will hold funds in wallets and as such full user information such as id docs, proof of residence, photographs, IP address, etc

I suspected what I had was far from what was required to be adequate and that is why I came here to ask the clever peeps for advice.

Does using things like GraphQL improve message security?

Thanks for this, this makes a lot of sense.

 

Yes, me too. I pretty much only use Doctrine ORM. Haven't touched the "native" php sql functions in years.

I think you have accurately assessed that you are not (yet) up to the task. I want to stress that I don't mean that in a bad way. You are one the right track!

I would suggest you base your app on some sort of battle tested framework. I personally like Symfony a lot (I have used it since v1.2 so I am certainly biased). You will find a steep learning curve at the start but these frameworks just deal with so much security related stuff you are most likely not aware of (CSRF for example).