I am typically transferring JSON objects from JavaScript and saving them with PHP.
I then append them to a specific text file like this:
$theFile = fopen("Data/" . FQ . ".txt", "a+");
fwrite($theFile, $data.PHP_EOL);
fclose($theFile);
Can I add code to save this information as an encrypted text file?
Ideally, I want:
All the files on my server to be encrypted
A secret key that is stored on my local computer
To decipher, I would:
Transfer data from server to local computer
Use my local secret key to decipher
I want this so that if my server is compromised, all data is gibberish without the secret key (which is NOT stored on the server anywhere).
You're going to want a symmetric encryption algorithm, such as AES. It turns out that there is a decent JavaScript implementation of it as part of Forge.
https://github.com/digitalbazaar/forge#aes
You'll want to use CBC mode to encrypt the payload and send it to your server.
If you're dead set on keeping this in a text file, you'll have to base64-encode this binary data. Do this server-side. Your client code shouldn't need to know or care how your server is actually storing the data. Plus, you'll save yourself 33% bandwidth, and some client-side CPU.
As a bonus to the base64-encoding, you'll be able to line-delimit the records in your text file.
When you return the data to your client, you should decode the base64 and send them the binary encrypted data. The client will then decrypt it using the key that only it knows.
Related
In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.
I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some common encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?
I realize both my application will need access to a common "password" or decryption key, I will store this in a keystore location that both apps will have access to.
IMO you should generate a public/private key by your own then (OpenSSL, Java keytool...).
Using javascript to encrypt your data with the public key
https://code.google.com/archive/p/crypto-js/downloads
https://nodejs.org/api/crypto.html
On Server-side - Java, you can use the private key to decrypt your data to execute your business behaviour. There are many examples/library to decrypt by the private key such as
https://www.devglan.com/java8/rsa-encryption-decryption-java
https://gist.github.com/fanglijun/a0d1218c9ef0b0670904e62778f6ed12
You're should read how the RSA algorithm to understand more how it works.
Basically you need to encrypt data by your public key (front end part) and decrypt (backend part)by your private key that it.
Not recommend:
If you're still wanna decrypt on front-end side via javascript, mean that you have to public your private key where javascript can read to decrypt. Technically is fine but It may have a security issue
Another solution:
You can encrypt your data like (Id, secret_data.....) into an encrypted string then send that string as a parameter of an URL (generate at server-side)
When end-user clicks that URL you will decrypt parameter by private key (server-side) to get actual data (Id, secret_data...)
Unless your values actually need to be secret use an HMAC. This way you can authenticate that url provided has not been tampered with without actually having to share keys or require that the client decrypt data on its own.
Simply generate an hmac for your desired critical values and append the value to the url. When they user accesses the specific path, read the url and compare it to the hmac.
url = 'http://my.site/users/123
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);
on the way in, look at the signature and validate it matches the regenerated hmac.
Other things you can do is append claims to the signature such as expiry ect. Claims can be used to track access, as well as revoke access to a url after some time.
I know that blob is a data type for binary data as integer is a datatype for int. As they say, It's used to store files directly in database (we move our audio file into blob, and save that blob in database).
Question 1) why to store blob for audio if I can just put the audio in storage for example path /var/www/audio.mp3 and in database I store path_name /var/www/audio.mp3?
Question 2) which is better ? how netflix stores movies? just blobs or what?
Question 3) Curious if there're any cons or prons if you could just give me ideas so that I know when to use them .
Putting the blob in the database, rather than a file, allows you to grow to multiple servers with load balancing. If you put the data in files, you would have to replicate the files between the server. Most databases have built-in replication features, this isn't as easy for regular files.
Better to use external storage/cdn for serving such kind of large content.
How Netflix and our works? They upload content on external bucket i. e. S3 and write file name in db for identification. According to user file access frequency that file cache on CDN/edge location. User will get awesome experience while content server from their nearest edge location
With blob you can store all kinds of stuff.
Do you communicate with an API via SOAP or JSON and want to store it in the database? Use a blob. Want to log what a user filled into a form when it threw an exception? Store the entire post as a blob. You can save everything as is. It's handy for logging if you have different data formats. I know an API which expects some data via SOAP and some as JSON. To log the communication I use blob because the response may be in XML, JSON, a number (http code 203 for empty but accepted) or an exception as array.
I don't want to have a readable endpoint like this .com///something.jpeg
so one thing I could do is use hash (I'm using bcrypt) to mask whatever needed to be mask, but my question is will it have performances issue doing encrypting on the server side as I did not save the encrypted string into my db.
Here's how I will do it.
Saving
Bcrypt user_id, blog_post and filename and save my file into storage
Retrieving
Get all the related identifier from the db, bcrypt them and use the value to go get the endpoint of the file.
Am I doing it right?
Imagine that I have a site where users' profile page has an address like below:
http://www.example.com/profile.php?p=123
Now I want to go to this profile and block (or another operation) this user when I click a button. I need to send the id of this user (123 in this case) to server with AJAX, and my question is, how can I send this id value to php server securely? (Currently I parse url parameters into a JSON object and pass them to server, but I don't know how secure this is.)
What you are probably looking for is RSA encryption. You generate a key for your server to use which has a public version and a private version. Your javascript will contain the public version which can be used to encrypt the data, and your php will use the private version to decrypt the data.
As a jumping off point, you can start here for javascript public/private key examples: http://shop-js.sourceforge.net/crypto2.htm
And here for the PHP side: http://www.webtatic.com/blog/2009/07/php-public-key-cryptography/
I am using Scala Play2 framework and trying to convert SVG String data to other file types such as PDF,PNG,JPEG and send it to Client as a file.
What I want to achieve is that
client send Data via Ajax(POST with really huge JSON)
server generates a file from the JSON
server returns the file to the client.
But It seems that It's hardly possible that sending a file and let clients save it as a static file, So I am planning to make new static files on clients request and returns its access url to client side and open it via Javascript. and after clients finish the downloading, delete the file in a server though,In this approach, I have to
def generateFile = {
...
...
outputStream.flush() // save the file to a disk
}
and
Ok.sendFile(new File("foo.pdf"))
I need to write and read file to a storage disk. and I do not think this is a efficient way.
Is there any better way to achieve what I want?
Thank you in advance.
Why do you think this is not efficient enough?
I've seen a similar approach in a project:
Images are converted and stored in an arbitrary tmp directory using a special naming scheme
A dedicated server resource streams images to the client
A system cronjob triggered every 5 minutes deletes images older than 5 minutes from the tmp directory
The difference was that the image data (in your case the SVG string) was not sent by the client but was stored in a database.
Maybe you could skip the step of writing images to disk if you're conversion library is able to generate images in memory.