arduino/ethernet shield/php/mysql and security

E

ElecEng

Senior Member
Joined
Jun 8, 2011
Messages
608
Reaction score
12
Hi, as a disclaimer: I have some experience and in programming but it has been some time since I have applied it. I have no experience in web dev.

My goal is to read sensor values with an arduino and store them in a mysql database. So far the arduino is reading and printing to the serial port correctly. (note the serial port will not be used in the final product).

I believe there is a library for connecting an arduino directly to a mysql database over Ethernet or WiFi, but I don't think the arduino can handle this in parallel with the sensor reading and converting calculations.

Hence from what I've read so far it seems the best would be to setup a webserver running a php script (which the arduino will send data to in the form of a url) which will insert the data into the mysql database.

I will figure the code out to get a functional system, but I worry about the security of the system.

It seems this approach would allow anyone to inject data via the url.

I don't want a web page accessible at this stage. Is it possible to have a webpage running a script and not be accessible? (i envisage the final server being hosted by a 3rd party datacenter)
Any other security related concerns? Right now the data is not sensitive, but I thought it would be a good project, with a steep learning curve for all elements involved.

Any advice or resources are welcomed.
 
Not sure about arduinos, but you can run php via command line, so there's no server involved. If you have to serve it, there isn't going to be much risk if the device isn't networked. If you have to network it and allow http requests, you can use some form of authentication (http or php auth), possibly on a non-standard port. If you're worried about SQL injection, there's various sanitization libraries, or you could just pull 10 lines of code off stackoverflow.
 
murraybiscuit said:
Not sure about arduinos, but you can run php via command line, so there's no server involved. If you have to serve it, there isn't going to be much risk if the device isn't networked. If you have to network it and allow http requests, you can use some form of authentication (http or php auth), possibly on a non-standard port. If you're worried about SQL injection, there's various sanitization libraries, or you could just pull 10 lines of code off stackoverflow.
Click to expand...
Ok, the device would be installed at the clients premises and be connected to their network, communicating with a mysql database hosted in the cloud. Are you saying I could run php on the database server without a webserver?
I will have a look at stavkoverflow.
 
Update for those that are interested. Seems I can't include a video of the serial port monitor from the mobile app, but the device is reading. Urrent and voltage and calculating active power, apparent power and calculating the power factor. I managed (with some trouble) to get the aeduino to sync time every hour with an ntp server. Database is setup on a local go microserver and now I will try to interface between the arduino and database. Progress will be delayed due to business trips for the next 3 weeks
 
This thread may be a bit old, but you said you'll be away for 3 weeks. So maybe you're still working on it.

I recently built an arduino logging solution, with the difference that it serves data (web server) as opposed to SQL database.
Regarding the core logging functionality, rather use one of these for retrieving the correct time. I also started out using NTP server sync, but it is risky for a primarily time-based logging feature.
 
Don't know if you've seen this Instructable , maybe it'll help: Link
 
Thanks dvdl, I am still working on it. Just didn't seem to be much interest here so I haven't been posting updates. Regarding the real time clock module, I'm not sure I see the advantage, it only needs to sync once and then uses the built in capabilities of the chip to keep time. Anyway, I'll read into it and possibly change it at a later stage. Currently I'm playing with ideas for securing the communication between the arduino and the server still. I've written a basic python socket server that handles each connection in a different thread. Now I'm just trying to figure out how to authenticate clients to the python server. Bit stumped really
 
You could also create a web service, RPC or REST and push to the database that way. Don't know exactly how Ardrino's work in the regard but you would basically be doing curl requests.

Apigility has a nice bundle that does a lot of this stuff for you. Creating an API like this is also probably a better option if you plan on expanding to other sites.
 
ElecEng said:
... I'm not sure I see the advantage, it only needs to sync once and then uses the built in capabilities of the chip to keep time. Anyway, I'll read into it and possibly change it at a later stage. ...
Click to expand...
I agree that it is maybe situation dependent (power failures, bad internet connection etc).

DrJohnZoidberg said:
You could also create a web service, RPC or REST and push to the database that way. Don't know exactly how Ardrino's work in the regard but you would basically be doing curl requests.

Apigility has a nice bundle that does a lot of this stuff for you. Creating an API like this is also probably a better option if you plan on expanding to other sites.
Click to expand...

+1 for REST API calls and Apigility
 
hmmm. i'm definitely lacking on the fundamental principles required to get this off the ground. I did come across and read that tutorial but I didn't like the implementation of the communication (via php and html, GET/POST, etc.). Is it normal to use a webserver to achieve simple communication between a client and a database? My logic is that a standalone python server app is more efficient. I have lots more reading to do.

regarding the authentication of clients i found this:

1. Client connects to the server
2. Client sends the user name to the server
3. The server generates a random string and sends it to the client
4. The client generates a random string and sends it to the client
5. At this point, both the server and the client know both random
strings and the password.
Both the server and the client should setup a session key using
these values.
A listener person or in-the-middle attacker cannot calculate the
same session key because it does not know
anything about the password. Important: the generation of the
session key should be FULLY dependent
on both of the random strings and the password and should be
non-invertable (e.g. use cryptographically
secure hash functions).
6. Optional: After this point you have a session key on both sides, you
can setup a cipher on both sides to have an encrypted connection
7. Both the server and the client shoud setup a new hash function H()
that is dependent on the session key
8. The server sends another random string
9. The client calculates its hash value using H()
10. The client sends back the calculated hash value
11. The server checks if the hash value maches the one calculated
locally. If not, terminate the connection. If there is a match then the
authentication was successful.
Click to expand...

source: http://bytes.com/topic/python/answers/31892-authentication-socket-communication

does it seam feasible?
 
I missed this thread but I played around with hosting a page on the arduino a while a go I still need to complete that project but I got the POC going at least. In my case I am just generating a simple tabular report and posting it on request but I also played a bit with creating a RESTful service and it worked quite well.
So in short I would also recommend going that route like the users above. There are also a few ways to handle security a simple hard coded pass key on the arduino with a condition to only respond to requests containing that key is a simple way to do it.
 
beachless, thanks. if you are just using a hard-coded security key how does one avoid a man-in-the-middle attack?
 
ElecEng said:
hmmm. i'm definitely lacking on the fundamental principles required to get this off the ground. I did come across and read that tutorial but I didn't like the implementation of the communication (via php and html, GET/POST, etc.). Is it normal to use a webserver to achieve simple communication between a client and a database? My logic is that a standalone python server app is more efficient. I have lots more reading to do.

regarding the authentication of clients i found this:



source: http://bytes.com/topic/python/answers/31892-authentication-socket-communication

does it seam feasible?
Click to expand...


Not just simple communication thats how AJAX etc works. In your case you can make a request for data and return a JSON object containing information and then update your DB with it.
 
ElecEng said:
beachless, thanks. if you are just using a hard-coded security key how does one avoid a man-in-the-middle attack?
Click to expand...

You can add some encryption decryption to make it more difficult but ultimately it still has some risk the complexity depends on how sensitive your data is. The point is that on the arduino you will have to come up with your own solution there are a few techniques on the web that are simple yet fairly effective.
 
Do you need to specifically use PHP? Rather have a look at nodeJS. From what I heard, it's more suited for Arduino Boards. You don't have to worry about installing a server, since node technically IS the server and is used for creating servers. Check this out: http://node-ardx.org/
You can also check this out if you are still using PHP: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
 
Beachless said:
You can add some encryption decryption to make it more difficult but ultimately it still has some risk the complexity depends on how sensitive your data is. The point is that on the arduino you will have to come up with your own solution there are a few techniques on the web that are simple yet fairly effective.
Click to expand...
Could you elaborate in these techniques, I have spent a lot of time researching this and haven't quite found something suitable yet.

You are correct, ssl is not supported amending implement it would utiles all of the arduino's resources. This is why I'm looking at implementing a custom protocol myself. I just need to understand the algorithm better.

I have left the idea of php, or anything embedded in a webserver.
 
ElecEng said:
Could you elaborate in these techniques, I have spent a lot of time researching this and haven't quite found something suitable yet.

You are correct, ssl is not supported amending implement it would utiles all of the arduino's resources. This is why I'm looking at implementing a custom protocol myself. I just need to understand the algorithm better.

I have left the idea of php, or anything embedded in a webserver.
Click to expand...

I think you need to explain the requirements and architecture a bit better as there may be easier solutions like on a local network you can limit access to your arduino shield IP and/or write a "wrapper"service that you can then expose to the www.

I dont think you should bother with ssl rather send your data in a normal http request/response but encrypt the data, some quick googling reveals that there are a few libraries that are already written so your best bet is to use one of them writing your own will require a lot of time and some serious math. AES should be plenty good enough and I see a few libraries out there for instance:
http://forum.arduino.cc/index.php/topic,88890.0.html

You then need to get another library to use on your calling application as well, AES libraries should be pretty easy to find in most languages.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X