I am developing an iPhone app that needs to use a Joomla-generated database located on my own server.
There are a lot of solutions, so for more security I decided to 'talk' with the database via PHP.
I have a PHP page like this:
www.mypage.com/iphonelogin.php ?username=USER1&password=XXX&option=login
The option can be: getuserinfo, login, reset password, etcetera.
The problem is that the password stored encrypted in the database. (MD5(password+Salt):Salt)
So, I am wondering how to do this the following ways:
Low security way: PHP gets a plain text password from the APP and the Full encrypted password from de DB. Then PHP uses the salt, encrypts the password and does the comparison, then return YES or NO to the APP.
Other way: PHP gets the password REVERSIBLE encrypted from the APP and decrypt it, then the same like above.
Nice security way (pretty slow): PHP get the Full encrypted password from the DB, then shows the Salt to the APP. The APP encrypt the password Joomla way and send a full encrypted password to PHP which do the comparison and returns YES or NO to the APP.
I need high security and fast connection, because every time the app needs something from the database, the login must be confirmed.
Please tell me what to use or some another way to do it.
You should be writing a session management feature set into your client <=> Joomla server setup.
This workflow would see the user only enter email and (plain) password once and then request the session token from the server.
This token could be then validated each time the client requires data from the server.
As you have noted, never expose the database directly to the client. That is just a bad idea for any setup. You should always keep an interface/API buffer between the client and server abstracting away potential security risks.