We closed this forum 18 June 2010. It has served us well since 2005 as the ALPHA forum did before it from 2002 to 2005. New discussions are ongoing at the new URL http://forum.processing.org. You'll need to sign up and get a new user account. We're sorry about that inconvenience, but we think it's better in the long run. The content on this forum will remain online.
IndexProgramming Questions & HelpPrograms › source code protection.
Page Index Toggle Pages: 1
source code protection. (Read 1633 times)
source code protection.
Dec 13th, 2009, 9:02am
 
hi guys, hope is all right with you all, in this cold winter days. at least, with no sun and hot afternons i can see improvements in my projects in daily basis.

now, my issue is about the folder where the applet is stored.
my apllet connects to my database to fetch some data, i'm afraid hackers will be able to acess and some how corrupt the way the applet should be working by acessing data from direct url in adress bar from the browser.

i tried some things to protect the folder, htacess and folder manager in cpanel, and it gets really blocked, but.... everytime i sucessefully prevent user from direct acess to files in folder, the applets is unable to acess jar files and all.

i'd like to get some help to solve this issue.

thanks all.
Re: source code protection.
Reply #1 - Dec 13th, 2009, 1:58pm
 
We need more details. When you write "applet", is that really an applet inside a browser?
Do you use direct JDBC connection to database (would be interesting as somebody else asked a question if that's possible at all)? Or access via HTTP requests?

I am a bit lost on the way you use your applet, and what you are afraid of. What do you mean by "corrupt the way the applet should be working by acessing data from direct url in adress bar from the browser"?
Re: source code protection.
Reply #2 - Dec 13th, 2009, 2:42pm
 
ok from the start.

i export the applet, and a folder opens with lots of files.
i copy all those file to the server folder.
by default theres an index.html there. (i can delete that file, though)

i have written a php file, that sends to the browser the content of that index.html along with other stuff , my links, my menus, etc..... (the way i want the page to look around the applet area).

everything's fine till where.

now, the way the applet fetchs data from mysql database is thru a php file read by loadstring()

with the visible code, user can access those url i pass thru loadstring()

example:

data[] = loadstring(http://mydomain.com/data.php?user_id=10&someothervar=randomvalue).

i dont want user to access those url,
if they do, they know exactly how data is send and how data is fetched and can mess around with things.

i hope this is undestandable now.

thanks PhiLho
Re: source code protection.
Reply #3 - Dec 13th, 2009, 2:53pm
 
It is very clear now, thanks for the details.
In general, Web APIs like the one you made should be secure, if well made. Obviously, you must protect yourself against SQL injections and similar... But if correctly made, you shouldn't fear malicious usage: after all, that's the way most Web APIs work, in HTML pages, where the requests are in plain view. It works, in general, because most data is read-only.

If you use some sensitive operations, like a REST interface allowing to delete stuff, you probably do user authentication.
But, and that's the biggest issue, you cannot store credential in the applet, as it would be easily hacked. So you must ask users to create an account, and enter their credential at start. And in this case, you allow destructive operations only on their own data!

Not sure if I addressed your concerns. Don't hesitate to ask for more details.
Re: source code protection.
Reply #4 - Dec 13th, 2009, 3:05pm
 
ok, if i'm understanding well, the thing i call an applet is a webAPI, right?

when you say, users must enter their credentials....
they do that, to enter the site, but then how can i make the webAPI to check them? can i read cookies or session vars from my server?
Re: source code protection.
Reply #5 - Dec 14th, 2009, 1:55am
 
Quote:
the thing i call an applet is a webAPI, right

No. The applet is the jar file the client (browser) load and display inside a Web page.
The applet uses the Web API, which is just a buzz word to say there is a server taking requests (GET or POST requests in general) with defined fields to do actions and/or provide data.

An applet can access cookies. Found this page with provide useful code: Access Cookies from a Java Applet.
Note that an applet can also communicate with a JavaScript program in the page which can provide information on this page; or update the page with data provided by the applet.
Re: source code protection.
Reply #6 - Dec 14th, 2009, 6:23am
 
you're givin me some new ideas.
i didn't ask about it, but connecting the applet to other laguages such as php, javascript, etc.... started to be a problem. thanks for the hint philo.

i'll try to pass encripted data thru cookies and see how it goes.

thanks.
Page Index Toggle Pages: 1