Page 1 of 1

How safe is AppGini? How can it be made safer?

Posted: 2013-05-29 19:09
by KSan
I was wondering... Out of the box we rely on MySQL security for core database. We have the MySQL credentials embedded into the PHP codes generated by AppGini. Then there is the AppGini security layer managing the front end access to data.

Has anyone done a serious security audit in the total picture?

Any best practices in securing the directories, PHP files with certain user rights to reduce risk profile?

Is out of the box installation secure enough to stand the nasties of the net?

Lastly, if there was a reason to do this, are there any solutions utilizing encryption coupled with AppGini?

Thanks for your input.

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-06-04 00:33
by a.gneady
One of the best things you could do to enhance security is using SSL (so that you access your AppGini application using "https" rather than "http") ... I plan to add optional captcha login and/or editing in future releases to prevent brute force attacks. Current AppGini-generated code already takes care of preventing common attacks like SQL injection, XSS, ... etc. If you'd like to encrypt the data stored in mysql, you can use the before_insert and before_update hooks to encrypt incoming data, as well as _init hook to decrypt displayed data.

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-06-04 00:35
by KSan
Good ideas. I don't have an urgent need for an encrypted site but it would be nice if you could in future provide a simple one table sample app showing how this can be done. Thanks much!!!

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-06-04 00:48
by a.gneady
Sure .. I'll try to post a tutorial article on that.

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-10-13 15:21
by bambinou
Hi Ahmad,

I know you are very busy with the next release but I would like to know if you have managed to write something in your website about the data encryption and decryption in appgini with Mysql.

Thank you,

Regards,

Ben

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-10-14 00:57
by a.gneady
Sorry not yet .. I'm finalizing AppGini 5.20 currently and trying my best to release the beta this week .. once I finish I'll start posting some pending tutorials, including this one.

Re: How safe is AppGini? How can it be made safer?

Posted: 2013-10-23 02:13
by davea0511
I'm also very interested in the SSL example. I tried this one time before, a couple years ago, and it failed.

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-13 23:25
by AhmedBR
This encryption example is overdue Ahmad :lol: :lol: :lol:

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-14 22:48
by a.gneady
AhmedBR wrote:This encryption example is overdue Ahmad :lol: :lol: :lol:
Oops!! You're right ... time goes by so fast and I'm really surprised how I get dragged by all the tasks I have :/

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-18 14:02
by a.gneady
Ahmed ... you might wish to check this: https://www.mysql.com/products/enterprise/tde.html

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-18 14:32
by AhmedBR
Thanks, I have seen that, but the server we are using is Percona, so this link does not apply!

I am still reading what Percona has to offer about this.

My requirement for encryption is very simple just some customer details to be encrypted, no extra sensitive data.
Some AES_Encrypt 128 is good enough.

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-19 19:13
by AhmedBR
Finally I got a small beta working for this.

I used your code :D for modifying the field caption color to do the decryption of always encrypted data in mysql.
This way Mysql database is ALWAYS encrypted at all time (including at rest).

I do not need to change the code anywhere else since I always use Numbers to do the filtering, grouping etc. never names.
(something like: where Client = 3, etc., and never use: where Client = 'AppGini Company')

Now, time for some tuning and finding the BUGs etc.

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-20 17:17
by AhmedBR
I am almost there, but stuck at this point:

Cannot show the decrypted field in Detail view, tried passing the value to {$data['Client']} but so far does not work, any ideas?

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-20 23:10
by a.gneady
Hmm ... you can either directly decrypt it in the tablename_form() function in the generated tablename_dml.php file (where tablename is the name of the concerned table). Or, if you want to avoid directly editing files outside hooks, add JavaScript code in hooks/tablename-dv.js to update the field through an ajax request to a file that you should create in the hooks folder to decrypt the field.

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-21 00:01
by AhmedBR
Thanks for they reply, I will try to do one of them.
But I am still trying to understand why it is not showing anything in the field after update, I mean it should show the encrypted value, doesn't it?

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-21 00:05
by AhmedBR
I am using BLOB type, and BLOB type without encryption is showing correctly, once encrypted nothing is shown in the field.
I think something is passing NULL to field once it is saved or updated, and it is not the database or the decryption as it is working fine in Table View.

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-21 00:42
by AhmedBR
Give it a try (this is how it is happening):
Small table with just ID and Client Name

Encrypt after update Hook

Code: Select all

sql("UPDATE Clients set EncName = AES_Encrypt(`EncName`, 'y~.7~oK.#,3HGr7q14$:')
               where `ID` = {$data['ID']}",$eo);
Once it is updated, the EncName is returned as NULL in details view.
Database is OK, and Table View is OK also (that is the EncName is shown decrypted correctly! :roll:

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-21 04:19
by AhmedBR
Could be a bug in Appgini!
Check this out:
If I create another table and do a lookup (modifying the query to decrypt the EncName), it shows perfectly on the other table! hmmmm

Re: How safe is AppGini? How can it be made safer?

Posted: 2016-04-24 15:33
by primitive_man
When it comes to safety for AppGini Applications I've tried a few things and have now settled upon one that works well.

In my last application, A database for a large private Residential Care Home:
1st Approach: Usual Web App Security on a LAN server (mid-range power) - this didn't work too well - large amounts of data needing encrypting/decryption - mired the application down, also had problems with printing and alignment that just refused to be resolved. Because the app had a 'Front' to the web via the usual problem between the seat and the screen, the possibility of user interference & hack attempts increased.

2nd Approach: Kiosk - Compressed. I placed the entire app within the container for 'ExeOutputforPHP' - again, problems - this time numerous, the compressed/encrypted application was still over 23mb in size, smaller PCs' had memory problems, ExeOutputforPHP often failed to close down properly and there were occasions when 4/5 instances were still in memory plus those printing problems still refused to FO.

3rd Approach: Kiosk - Uncompressed. I'd liked the Kiosk idea, it gave me a chance to not only place my Application within a 'secure area' but I could hide and encrypt the actual link information to the Online DB - Additionally, I could protect my work using Serial Numbers and Unique Machine IDs'... but waiting for the next version of ExeOutputforPHP is still an ongoing process - it's 2 years late already!
Someone suggested 'phpdesktop-chrome' - it doesn't allow me to compress the entire site into a single exe - however, I realised that I didn't need to do that!
In phpdesktop-chromes' www folder I place a single index.html page (created / encrypted and placed using an installer that creates and includes a serial number and Unique Machine ID plus the link to my now on-line Application) - this page also allows me to have a flashy intro to the app, the link goes to a link, which travels to another link which then starts the application. The application is never exposed to the world, but sits safely beyond anything but expert hacker interference and has no Web Front. The data is encrypted/decrypted and incremental backups are a breeze using a script I wrote for another App.
I'm really happy with it, as is my client and the printing problems finally disappeared - thanks to the fact that the latest version of phpdesktop-chrome uses a fairly modern Chromium Embedded Framework (CEF) (v47.5 (the current one has of today is: v50.0.2661.87 m)).

Hope this helps someone.

Yours,
primitive_man