FrontlineSMS allows you to text message with large groups of people anywhere there is a mobile signal.

How to secure the script used for External Command > HTTP Request

Hi all

Hope you are having a great day!

I have setup the 'forwarding' of SMS to my site (lets say www.example.com) through External Command > HTTP Request, using FSMS 1.6.16.3

For this I have used a script (lets say my_script.php) which is currently available in my www/public_html folder.

So, the HTTP request (in FSMS) is currently using the following URL:

www.example.com/my_script.php?s_name=${sender_name}&s_number=${sender_number}&k_word=${keyword}&msg_content=${message_content}

Now, what I am noticing is that occasionally blank data is being entered in to my database, which probably means that someone is simply hitting the above URL in a browser.

So, my question is, how can I make my setup more secure so, that issue just mentioned does not happen?

Also, is there any way to add security when the URL is called by FSMS, which may become necessary if the SMS being 'forwarded' contains sensitive information?

As usual, any feedback is greatly appreciated.

Thanks in advance!

▶ Reply to This

Replies to This Discussion

Permalink Reply by Shahriar Khondokar on September 13, 2012 at 2:57am

Very kind of you Sila ... thank you!

▶ Reply

Permalink Reply by Geoffrey Muchai on September 13, 2012 at 3:43am

Hello Shahriar,

I would recommend that you add a security verification to the URL which receives and processes the requests send by frontlinesms. I would also recommend that you use HTTPS to enhance your security configuration instead of HTTP.

Regards,

Geoffrey

▶ Reply

Permalink Reply by Shahriar Khondokar on September 13, 2012 at 3:57am

Thanks for your Geoffrey.

I have a few followup queries:

1. By "security verification to the URL which receives and processes the requests", I assume you mean using the various PHP options such as checking the data type, validating that the data does not have any malicious code etc. in the PHP script (my_script.php in this example) - will you please confirm that this is what you mean?

2. Can I keep my_script.php outside the web root? If so, what should be the URL that I insert into External Command form in FSMS?

3. The command type for External Command in FSMS 1.6.16.3 is 'HTTP Request' - so, where can I use HTTPS?

I will be very grateful if you can provide some clarifications.

▶ Reply

Permalink Reply by Shahriar Khondokar on September 16, 2012 at 12:43pm

Hi guys

Hope you are fine.

Does anyone have a reply to my queries in the last post?

I realize that some of my questions are quite silly/novice but rest assured your reply will go a long way in enhancing my knowledge.

Eagerly waiting for your reply.

▶ Reply

Permalink Reply by Sitati Kituyi on September 17, 2012 at 4:00am

Hi Shahriar,

I have spoken to Geoffrey and hope I can clarify some of this.

1. Yes, we'd recommend you sanitise your inputs when submitted. At the most basic level, you could reject empty values to prevent your database from filling up with blank requests. However, the main thing we'd suggest is adding a 'secret' parameter to your PHP script, and only processing the request if the value of this matches the value you set. On the FrontlineSMS side, this parameter would just be an extra entry at the end of your url: "..&secret=my_secret"

2. I believe to do this you would have to do a PHP include to reference my_script.php in a public_script.php, with your url then being the link to public_script.php. This may be useful if you decide to implement the secret word mentioned above.

3. You should be able to set the URL to https:// and it would just work, if your webservice is configured to work with https.

I hope this helps, let me know if you have any further queries.

Sitati