The SSL answer helps.
I don't want anything visible on the website actually.
So basically if I put my PHP files in a secure directory no one can get to them without cracking the password for the site.
The SetHTTPHost command allows me to send the credentials. Excellent!
And if I'm under SSL then I don't need to worry about anyone intercepting the HTTP commands that are sent to the site from the app.
Quote: "Also, browsers will not actually see the contents of your PHP files on your site. They actually only see the generated html output, not the raw script files.
"
Is the output that is received by AppGameKit the HTML that shows?
Quote: "Your PHP files are only vulnerable to someone hacking into the server and seeing the physical files or installing scripts that will send them the files."
Basically that's all I'm worried about.
Quote: "If you go with a shared hosting account, you are somewhat dependent on the security measures of your hosting provider. JaguarPC is pretty good about security."
Very good to know.
So here's my plan at the moment:
Set up SSL and use SetHTTPHost to log in
Data is sent to a PHP GET script via URL which requires the database password to also be passed via URL. I'm still not sure if passing the db password via URL is better than storing it in the PHP script. Or is there essentially enough security measures that it doesn't really matter.
Data sent from the app is encrypted by the app before being sent to the database. This way if someone does hack in and steal the database it appears as garbage.
That provides 3 levels of security. Which I'd feel really comfortable about.
Another question:
I'm trying to find out how to force logout the HTTP connection. I've tried:
<?PHP
session_start();
session_destroy();
?>
But it doesn't seem to be working since I still have access after running it...
EDIT
Nevermind the logout question. I've solved it. Just try to force in new credentials or use another call to login like this:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="localhost"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
The issue is that Chrome likes to remember the credentials even after invalid login credentials have been sent... I don't think this will be a problem via app.