Prevent bot from accessing XMLRPC

[eluser]juworld[/eluser]
Hello,

I just started using CI and it works great. I used CI to create a XMLRPC server. This gives other applications access to my database.

However, I am just thinking that if someone show how got hold of the url, couldn't this person simply write a bot and fill up my database with junk data?

Any ideas how I can prevent this? Maybe I need some kind of hand shake algorithm to ensure the client is an authorized entity?

Thanks in advance,

Justin

[eluser]gtech[/eluser]
one way I have done it using a different technology is to use a private key.

you have a private key on the client and the server. On the client you could pass a md5 encypted (see encryption docs) string consisting of the username+password+timestamp this can then be decrypted at the other end, then the server can authenticate the user and check the password from your database. Then the server replies back with a MD5 encrypted sessionid+sequence+timestamp, the client decrypts and passes back sessionid+sequence+timestamp.

The timestamp and sequence numbers can be used to make the thing more secure. If the MD5 string is the same for each xmlrpc request/reply a packet sniffer could easily find it and make calls to your server. The sequence number is used as an extra level of protection, as if the sequence goes out of sync you can assume an unauthenticated client is trying to make calls. The sequence is incremented each time on the client side, and the server waits for the correct sequence number before it replies.

[edit after response] MD5 and SHA1 are one way so you need to use another encryption algorithm to use this method.

[eluser]juworld[/eluser]
Hey gtech,

Thanks for the reply. I think you meant the encryption class that comes with CI (http://ellislab.com/codeigniter/user-gui...ption.html)? I read through this doc and I believe the encrypted string that can be decrypted is CI's encryption algorithm rather than md5. Correct me if I am wrong, I believe md5 can't be decrypted?

But, I really like your concept though. I believe I can use the same concept on a different encryption algorithm if md5 doesn't let you decrypt.

[eluser]gtech[/eluser]
yes I did mean the one that comes with CI.

sure I think your right. MD5 is one way..

hooowwwwever if you want you can use 1 way encrytion... take off the timestamp, and then when the encryted public key comes into the server, you can do a check on the server side that md5(sessionid+sequence) = the encrypted key passed in from the client.

you may have to use the timestamp to create the key for the initial login request, to ensure the encrypted key is not the same for every logon. Pass the timestamp and username in plaintext in the xml request so the server can check MD5(timestamp+username+password) = the key passed in from the client (password can be retrived form the database).. The server can check how old the timestamp is to ensure its not a fake request (may need a bit of thought but it could time out after 30 seconds)

[eluser]juworld[/eluser]
Cool man,

Thanks, I'll give it a shot!

[eluser]gtech[/eluser]
excellent! let me know how you get on