I am in the process of making an app that will allow certain users to insert values into a database. Atm if I go to the php file and add ?year=235&name=ggg to the end of the URL it would be added to the database. What would be the best way to protect against this and only allow information coming from the app to be entered in the database? Or is it a waste of time trying? I know really the only way for people to get the URL for the php file, is if they used something like wireshark/packet tracer.
At the very least, you should be using HTTPS. Secondly, it would be wise to use some form of OAuth. That way, one would require a special token, which the user themself doesn't know, in order to access your page, and you could restrict database access to users who are authorized.