HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Handling new user requests from a Swift client

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
swifthandlingnewuserclientrequestsfrom

Problem

I am starting to play with POST request to save in my server the user token so I can send push notifications in Swift (this is the Swift code). This is the PHP file that processes the request (please note that I will improve it using prepare statements to prevent SQL injection):

```
'Continue',
101 => 'Switching Protocols',
200 => 'OK',
201 => 'Created',
202 => 'Accepted',
203 => 'Non-Authoritative Information',
204 => 'No Content',
205 => 'Reset Content',
206 => 'Partial Content',
300 => 'Multiple Choices',
301 => 'Moved Permanently',
302 => 'Found',
303 => 'See Other',
304 => 'Not Modified',
305 => 'Use Proxy',
306 => '(Unused)',
307 => 'Temporary Redirect',
400 => 'Bad Request',
401 => 'Unauthorized',
402 => 'Payment Required',
403 => 'Forbidden',
404 => 'Not Found',
405 => 'Method Not Allowed',
406 => 'Not Acceptable',
407 => 'Proxy Authentication Required',
408 => 'Request Timeout',
409 => 'Conflict',
410 => 'Gone',
411 => 'Length Required',
412 => 'Precondition Failed',
413 => 'Request Entity Too Large',
414 => 'Request-URI Too Long',
415 => 'Unsupported Media Type',
416 => 'Requested Range Not Satisfiable',
417 => 'Expectation Failed',
500 => 'Internal Server Error',
501 => 'Not Implemented',
502 => 'Bad Gateway',
503 => 'Service Unavailable',
504 => 'Gateway Timeout',
505 => 'HTTP Version Not Supported'
);

return (isset($codes[$status])) ? $codes[$status] : '';
}

// Helper method to send a HTTP response code/message
function sendAPIResponse($status = 200, $body = '', $content_type = 'text/html') {

$status_header = 'HTTP/1.1 ' . $status . ' ' . getStatusCodeMessage($status);
header($status_header);
header('Content-type:

Solution

If somebody gets the correct address http://www.myServer.com/api/v1.0/saveToken.php, would he be capable to send a post request adding fake users and token ids?

Sure, why wouldn't an attacker be able to do that?

You can test this yourself, either by writing a short script, or using a plugin such as tamper data for firefox. Or, as you are using REQUEST instead of POST, just pass the values as GET.

So if you want to avoid this, you need some kind of authentication mechanism (and you obviously need to fix the SQL injection).

Other than the use of mysql_ which is deprecated for a long time, and the SQL injection, your PHP code looks good. I would probably move some of the code to it's own function (such as addUser, selectUser, addToken, etc) to make it even easier to read. And instead of setting the header and status message yourself you could use http_response_code.

Context

StackExchange Code Review Q#86601, answer score: 3

Revisions (0)

No revisions yet.