I am building a sample server so that I can learn PHP and was wondering if this is a good way to secure my database. Essentially I am sending my own API key. Is this even doing anything useful, or would this be easy to overcome.
If this is horrible, what is the standard way to approach this?
Below is the PHP file
<?php
//Check if insert function exists
$apiKey = "6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF";
if(function_exists($_GET['insert']) && ($_GET['key'])==$apiKey) {
$id = $_GET['id'];
$first=$_GET['first'];
$last = $_GET['last'];
//If found, call the function inser with value as a parameter
$_GET['insert']($id,$first,$last);
}
?>
The web request looks like (from an iOS app);
NSURL*url=[NSURL URLWithString:@"http://localhost/Tutorials/index.php?insert=insert&id=9000&first=YOOOO&last=LOOOO&key=6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF"];
//URL request
NSURLRequest*request=[NSURLRequest requestWithURL:url];
//Set the connection
connection = [NSURLConnection connectionWithRequest:request delegate:self];
if (connection) {
webData=[[NSMutableData alloc]init];
}
To demonstrate how insecure it is, I could request this page:
http://example.com/yourpage.php?insert=exec&id=rm+-rf+%2F&key=6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF
Unless some configuration blocks it, this will wipe your server's drive as much as PHP has access to it (which will probably be your entire website)
Instead, you should create a list of valid functions, and refer to them by ID. Store the functions in an array, and get the index pointed to by a GET parameter.