options for safe transfer of data to a server - ?

Alex Tweedly alex at tweedly.net
Tue Mar 13 14:05:19 EDT 2012


ftp is indeed a security problem, and sftp is not (easily) available - 
needs externals, or command line usage, etc.

https:// would be an option - but he would need an ssl cert.

However, if the item to be uploaded is small (sounds like it is), then 
you can do it very safely and easily, just as a get URL with the 
parameters encrypted from within LC.

LC on the client machine (pseudo code):
    put "My machine has been installed" && tMyName && tMyOtherData into 
tDataToSendToServer
    encrypt tDataToSendToServer with des using password "mysecretpassword"
    put it into tData
    put "http://my.domain.com/registerinstall.lc?data=" & 
urlencode(tData) into tURL
    get URL (tURL)

(and of course, make sure that you keep the password safe, only do this 
within a protected stack, etc.


and on the server, you simply take the data passed, urldecode it, 
decrypt it (with the same secretpasword) and log it to the file.


There is a tiny insecurity here - someone could flood you with bad URL 
gets and grow you logfile out of control - which can easily be avoided 
by passing a security check, e.g. ( add this code immediately before the 
get URL above)

    put the seconds into tTime
    encrypt tTime with des using password "mysecretpassword"
    put it into tEncTime
    put "?time=" & tTime & "&enctime=" & tEncTime after tURL

and then on the server, verify that the enctime value can be decrypted 
to get the time value; only save the data if that matches OK.

-- Alex.

On 13/03/2012 12:42, Curt Ford wrote:
> My client wants to have a routine that records when a user first installs the project, by incrementing an item in a text file on his server. We've got it working well with ftp but I'm wondering if  whether sending the ftp login&  password over regular ftp is a security issue; some digging in the archives makes me think that sftp isn't an option yet.
>
> Would https:// be an option to write to a file on the server? Would that require that they have an SSL certificate?
>
> Any ideas on a good way to handle this?
>
> Curt
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>





More information about the use-livecode mailing list