Issue with confirm User ID to insert to database
10 views
Skip to first unread message
Cao Nguyên Nguyễn Văn
Jul 27, 2010, 5:29:31 AM7/27/10
to OpenSocial Client Libraries
I have written a code using Google Friend Connect, that:
1. If someon want to reg an account, they loggin with GFC
2. get Person.Field.ID and check if it existed in database or not (by
ajax - php)
3a. IF TRUE Creat an session.
3b. IF NOT insert this ID (with Nam and some thing else) to Database.
4. do something in server-side
But the issue is.....they can easyly fake and insert this ID to my
Database.
Maybe they can use cURLs (in PHP) or some method in the orther
languages and send some thing to my database, after that, when i get
some info with this ID, maybe that is the ino of someone else!
So is this dangerous!? How can I avoid this!? (Please no REST API I
just like JS API)
1. If someon want to reg an account, they loggin with GFC
2. get Person.Field.ID and check if it existed in database or not (by
ajax - php)
3a. IF TRUE Creat an session.
3b. IF NOT insert this ID (with Nam and some thing else) to Database.
4. do something in server-side
But the issue is.....they can easyly fake and insert this ID to my
Database.
Maybe they can use cURLs (in PHP) or some method in the orther
languages and send some thing to my database, after that, when i get
some info with this ID, maybe that is the ino of someone else!
So is this dangerous!? How can I avoid this!? (Please no REST API I
just like JS API)
Robson Dantas
Jul 27, 2010, 8:36:09 AM7/27/10
to opensocial-cl...@googlegroups.com
Hi!
Yes, it can be easily forged. The only thing which came in my mind, since you don't want to use rest/rpc, is writting an opensocial gadget and use signed request.
Using this way, gadgets.io.makeRequest will be available inside the frame, so you are restricted to develop and render a gadget on your page. GFC inline API doesnt give you access to gadgets.*
If you proceed using signed requests, container will sign the message for you using OAuth mechanisms. More information on Opensocial wiki page:
--
You received this message because you are subscribed to the Google Groups "OpenSocial Client Libraries" group.
To post to this group, send email to opensocial-cl...@googlegroups.com.
To unsubscribe from this group, send email to opensocial-client-l...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/opensocial-client-libraries?hl=en.
Jason (Google)
Jul 27, 2010, 12:44:09 PM7/27/10
to opensocial-cl...@googlegroups.com
As Robson noted, you should be using signed requests to avoid this particular issue. Also note that this is a discussion forum for the various client libraries available for the REST and JSON-RPC protocols. Please ask your JS-based OpenSocial questions in the appropriate forum.
- Jason
Reply all
Reply to author
Forward
0 new messages