From a desktop app i need to save data in a database on the web.
I know that it’s not a good idea to connect directly to the database because of the reconnect-thing. So i tried to build up small Webservice.
For saving i’m using the urlconnection for the POST request running a php script on the webserver with the INSERT and UPDATE statements for the mySql.
Now the problem, my Webserver regularly rejects my IP-adress because of the suspicion of sql injection.
Your SQL statements are part of the POST request? That’s… not recommended. You should have http endpoints for given tasks that take parameters, and the SQL is in your server scripts. Look up what a REST API is, it’s a pretty common model.
Doing what you’ve done may actually be worse than connecting directly, as you’re essentially just replacing the database-level authentication with your own, which (no offense intended) is probably not as robust, and certainly not as reviewed and tested.
And i call theses scripts from Xojo, for example like this:
Var postdata() As String
postdata.Add("vdatum="+aktdat.SQLDate)
postdata.Add("vzeit="+aktdat.LongTime)
postdata.Add("userid="+currUser.ID.ToString)
postdata.Add("vart="+vArt.ToString)
var data as String=String.FromArray(postdata,"&")
var ConMain as new MainCloudCon
ConMain.SetRequestContent(data, "application/x-www-form-urlencoded")
ConMain.Send("POST", wcon.serverpfad+"/main/addappverlauf")
So in that case, I don’t have any idea which service would be complaining. It sounds like firewall, but I wouldn’t expect it to be doing THAT level of inspection, especially over an TLS connection. Do you know which http server you’re running?
the problem is not with the firewall, the Provider which is hosting my domain told me, that my IP was rejected because of the suspicion of SQL injection. This comes from executing this code like above.
They were speculating that it is because the “POST” is executed from an external app (Windows app) and not from the webserver itself. With “GET” i get no problems, only with “POST”
So i was thinking my way of sending the request content ist wrong.
Yeah, that’s why I was wondering which webserver it is. This is an unusual behavior. An HTTP request is an HTTP request. They are doing something to your traffic. They might be injecting cookies to help identify browsers from apps, but it’s hard to say for sure. Or maybe they reject POST requests without a referrer? Whatever it is, it’s not normal.
The referrer tells the server where you came from. Essentially the last url that was visited. It’s mostly used for following links. But you could set it in your request such as
You might also set your user agent header to match a real browser:
URLConnection1.RequestHeader("User-Agent") = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15"
I think it is more likely they have an IPS (intruder prevention system), like fail2ban, scanning the access log file for anomalies. The advice to set a user agent is spot on. Also consider a switch to using json to exchange query parameters and data with the web server.
Log scanning is something I hadn’t considered, and makes a ton of sense. In my second comment I said it sounded like the firewall, but I couldn’t figure out how it’d be breaking into the TLS data. With log scanning, it doesn’t have to, so I agree this sounds like exactly what is going on.
mb_internal_encoding("UTF-8");
$json = file_get_contents('php://input');
// Decode the JSON string
$js = json_decode($json);
// check if $js is null for fails, then you can play with the contents as $js->a_field_name
Not as silly as an user and a form, that’s the silly level the provider is trying to avoid.
If you want extra security measures, use some authentication scheme and insert unique mutable confirmation codes in your JSON packets, as AUTH protocols usually does.
To send a Xojo JSON data and receive a JSON response (fast, slow responses should be async):
Var http As New URLConnection
Var jsonStr As String = "{ ... }" // some valid json content
http.SetRequestContent(jsonStr, "application/json; charset=utf-8") // prepare to send
Try
jsonStr = http.SendSync("POST", "https://www.thesite.com/api/v1/proper_endpoint.php", 5).DefineEncoding(Encodings.UTF8)
Catch
jsonStr = "" // fail
End
Var json As JSONItem
Try
json = New JSONItem(jsonStr)
Catch
json = New JSONItem // Discard. Garbage received
End
// process the json response