I create a Flex application that works with a browser using a database with the MySQL server that I can create, modify and delete data from a database.
The problem I encounter now is that I want to see my program with Adobe AIR (virtual machine). At the display that does not pose a problem. The problem is that air can not reach the database server is located in the MySQ. the error message displayed is as follows:
"Error : client.Error.MessageSend - Channel.connect.failed error NetConnection.Call.Failled : HTTP: Status 404:url:'http://xxx.swf/xxx/messagebroker/amf' - Send failed"
Thank you kindly explain to me why I obtain this error? and why do I get to work with the browser but not with AIR? and do work well with AIR application "Client - Server"?
I await your answers or comments with pleasure
It would be best to have some service on the server-side to serve as a facade to database operations. Thus:
you will work with a limited interface from your flex client
you won't need to store DB credentials on the client (this is security flaw - anyone can connect to your database and drop anything)
you won't need special firewall permissions (or mysql port configurations) for your clients - most servers don't allow external parties to connect to port 3306
You can use BlazeDS for that, or you can create your own solution, if the case is simple enough (I actually didn't like the way BlazeDS handles stuff when I had to make this choice a while ago)
The exception you are getting is actually in the AMF broker messaging rather than any of the other technologies. Check whether the URL shown in the message really returns 404.
If you are getting a 404 error then your BlazeDS servlet is not running. Make sure you didn't get any errors when you started Tomcat.
Related
I have an application (packaged software from a vendor) that runs on Oracle WebLogic.
There are few operations that, if I try them, I consistently get the following error page:
(WebLogic Bridge Message) Failure of Web Server bridge: No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.
The error occurs consistently almost exactly five minutes after I try the operation.
The page does not look like the typical error page you get when the application logic fails. It looks like something to do with the infrastructure (e.g., WebLogic configuration).
I am pursuing the issue with the software vendor, but that's not going well.
Has anyone seen this message and/or suggest an approach for diagnosing the root cause here?
Looks like you are using a Proxy Server between Browser and Weblogic Server. By seeing the error it's evident that proxy server unable to connect to back-end WLS server. You may have to enable proxy debugs to get more info.
I'm trying to solve the problem described by CWE-798, specifically how to allow my application to authenticate to a database securely. I would like to set a mysql password within mysqld and push that information out to a PHP application server. This entails communicating the new password from mysqld to PHP before a PHP instance attempts to connect to the mysqld.
(I did read through the suggested approaches on mitre.org and have some knowledge of privileged access management - however NONE of the recommendations actually solve the problem).
Unless this is initiated within the mysqld e.g. using its event scheduler, then I need to maintain some sort of script outside MySQL which will need credentials to connect - thus defeating the objective.
My problem is that I don't know how to get MySQL to initiate a client connection to the application to inject the new password; it does not appear to provide a standard function for invoking a URL nor for executing a program.
Is my only option to implement a UDF?
The vulnerability you're describing seems to primarily relate to applications that are in the hands of users that can freely inspect what they've been given, such as might be the case in a desktop application or a mobile app. If you have credentials in there you must take great pains to encrypt them, and then prevent that encryption from being cracked by protecting your key, but seeing as how all of this has to happen on the user's hardware you're fighting a battle you may never win.
This is how the DVD encryption was cracked, the private key for decrypting DVD data was stored in a desktop application and eventually uncovered.
Server-side code has different concerns. Here you want to avoid hard-coding credentials into your application not because you're concerned about hostile users per-se, though that can be an issue, but because you do not ever want your credentials to end up in a version control system.
One way to ensure this never happens is to have the credentials stored in a file external to your application, like a config file that the application can reference. Most frameworks have some kind of configuration file (.yml, .ini, .xml) that define how they connect to the database. This file should be stored on the server and only on the server, not on developer workstations, not in your version control, and especially not somewhere shared.
You can go down the road of using something like Zookeeper to manage your configuration files but the investment of time required makes this a futile exercise unless you're managing hundreds of servers.
So the short answer here is: Don't put your credentials in your code, or store it with your code. Put it in a config file that's kept on the server and the server alone.
I'm currently doing a iOS application for school to connect to school mysql database.
It should be able to connect to it through the tools on xamarin studio.
I tried a lot of different coding to connect the database, but was unable to do so.
Is there any tutorial or example code to let me learn on how to do it ?
Thanks for any help!
Do not connect directly to a database from a mobile app. Doing this requires exposing your database server directly to the web, which is a horrible security risk. The better approach is to use a web services layer to broker the interaction between your client and your server.
http://docs.xamarin.com/guides/cross-platform/application_fundamentals/web_services/
While people are right and the best way to connect to a database is to use a web service there are some times you want to connect directly and ways to make the connection more secure (ip restrictions on the mysql server).
Here is a plugin with code examples on how to do it:
https://components.xamarin.com/view/mysql-plugin
Be sure to pay attention to the first forum question on errors and how to resolve. You need to include a reference to system.data, I18N, I18N.West in your project and also make a call to the constructor for I18N somewhere in your code.
new I18N.West.CP1250();
I am using the vmc tool to upload my web application to cloudfoundry. I have pushed my web aplication and created service to bind with. But I am getting a problem in tunneling it. I want to connect my database stored in backup file in my system with my web application. Here is the image where I entered the commands:
I am having an error about path. I don't know how to resolve this. Please let me know how I should attach my databse with my web application.
What the error is saying is that you need to have MySQL client on your build path. Caldecott (the application which gets executed when you type vmc tunnel) uses your own client for either MySQL, Postgres or Redis. If you do not have MySQL client installed or if you do not have it defined in your PATH environment variable, you will get this error.
This is probably not it but there's a space in your password string in the screenshot provided.
Besides that it seems that this error may be generated if the "build path" used for connecting to the database is incorrect. Manually check if the tunnel to the database works fine with those credentials and/or check to see if VMC can access other databases.
Currently the major means of connecting Flash AS2/AS3 to a MySQL database are:
Flash > PHP > MySQL -- "secure code" in PHP Scripts
Flash Asql or Assql > MySQL -- "secure code" in MySQL Stored Procedures
The second approach is newer, but directly connects to a MySQL DB using binary sockets and ByteArrays.
In which case would the "secure code" be less accessible and therefore more secure?
I'm assuming stored procedures cannot be accessed via FTP so that might be harder to break into?
Stored procedures can only be accessed by someone with the correct database credentials so they will be secure assuming no one cracks your Data Base password. You know it might actually be that the PHP code is more secure as you can hold the Data Base password on the server instead of in the host app.
I suppose you can always decompile flash and try to locate the password in the host app because with asql the password will be stored in the host app, instead of on the server hidden behind PHP
I'm not sure asql would work for users behind the proxy, so I wouldn't use it for website. Approach with PHP in the middle seems to be better and you can (and should) model api for your application that is different from your DB structure.
It appears that both assql and binary sockets are synchronous links that use a socket connection to the database. Which might be great for an AIR application, but for a browser app might be highly problematical. Is this for sure what you want? Your question about access through stored procedures gives me the idea you aren't too sure about this stuff.
In fact, using PHP properly will likely be easier for building a solid abstraction and security indirection barrier between your app (and its host) and the database.
EDIT:
Web clients and servers use the http protocol to communicate. This is called a "stateless" and "connectionless" (which is only kinda true) protocol because the connection between the two only lasts as long as it takes for the client to request everything and the server to send back everything. The obvious benefit is that the server only knows about each client for a very brief period of time.
A socket (in the sense these two protocols use one) is a permanently established connection between the client and server that persists until one end or the other closes it (connection-based); and both sides know the state of the connection (open or closed). So they tie up a lot of host resources per client for a long time, and things get wacky when the connection breaks. Big difference, and it can't be run through the ports supporting web pages - another port needs to be provided (sometimes two) on the host and the client to support the socket.