Secure PHP Dropbox uploading

[BrownZeus]

Hey Folks, 

 

I wanna create a client facing app in php where the user uploads a file and sends it to my dropbox.

I know the Dropbox API gives functionality to be able to do this, I just wanna know how to do it securely?

I don't want the app token to be visible to someone inspecting elements. I'm fairly new to PHP, if someone can privide steps NOT code, that'd be great! I'd like to learn on my own code-wise

 

TIA

[Sir Asvald]

PHP is a language for web development not for creating apps. You need something like C++, C#, etc. 

[jj9987]

Store secret tokens on server-side in a secure storage, if it is your account. You could encrypt it, but then you need a place to store the key.

Use secure connections everywhere (HTTPS).

Watch out for XSS/CSRF and other potential web vulnerabilities. There's many.

 

PHP is for server-side code though. Web frontend is done in HTML/CSS/JavaScript, often with help from different JS libraries/frameworks.

[Neftex]

php code isnt visible on the client side (unless you botch the server setup), only the html/text it generates

3 minutes ago, James Evens said:

why do you need dropbox? store them on your server and access them trough FTP.

thats a pretty bad advice there my man

[Neftex]

@James Evens

he would have to take care of the disk space on his server, buying and installing hdds...

ftp isnt considered safe quite a while now

[JohnDongus]

Php is one-sided so you shouldn't have to worry about sensitive information as long as your folder permissions are setup correctly. 

 

Here is a api for Dropbox and php

https://github.com/kunalvarma05/dropbox-php-sdk/wiki/Upload-and-Download-Files

 

I would personally do all of this in electron with nodejs. You could then compile it for different platforms from windows to Mac to Android ect. 

[Neftex]

3 minutes ago, James Evens said:

source? don't think that the encryption is broken.

ftp? what encryption dude

[Neftex]

3 minutes ago, James Evens said:

TLS

ftp isnt encrypted, ftps is

its still not what the OP would want anyway

[vorticalbox]

5 hours ago, jj9987 said:

You could encrypt it, but then you need a place to store the key.

This is what you use environment variables for.

[BrownZeus]

Thank you all for your different pieces of advice! 

Much appreciated over the vultures at Stackoverflow.

 

My apologies for misclassifying it, its a webpage/webapp not an app.

 

I wanna upload to dropbox because its secure storage I can access anywhere seamlessly through the dropbox desktop integrations. Also I have a terabyte of storage, i don't have to worry about any overhead.

 

Thank you again!

[jj9987]

16 hours ago, vorticalbox said:

This is what you use environment variables for.

Env variables are not persisted over reboots. From where is the key loaded to env variable? That all depends on how OP is going to host the application.

[reniat]

8 minutes ago, jj9987 said:

Env variables are not persisted over reboots

...are you sure we're talking about the same env variables? It would be VERY annoying if you had to add maven/java/python/etc. to the PATH env var every single time you rebooted the machine.

[vorticalbox]

52 minutes ago, jj9987 said:

Env variables are not persisted over reboots. From where is the key loaded to env variable? That all depends on how OP is going to host the application.

at work with use aws parameter and the aws credentials to load the envs for the app we are running.

 

45 minutes ago, reniat said:

...are you sure we're talking about the same env variables? It would be VERY annoying if you had to add maven/java/python/etc. to the PATH env var every single time you rebooted the machine.

depends, app level env like secrets, ports etc you probably don't want to set in the system path.

[reniat]

10 minutes ago, vorticalbox said:

depends, app level env like secrets, ports etc you probably don't want to set in the system path.

I know, I was just pointing out that if he's referring to OS level env variables, they very much persist through reboot.

[jj9987]

4 hours ago, reniat said:

...are you sure we're talking about the same env variables? It would be VERY annoying if you had to add maven/java/python/etc. to the PATH env var every single time you rebooted the machine.

 

3 hours ago, reniat said:

I know, I was just pointing out that if he's referring to OS level env variables, they very much persist through reboot.

Env variables are kept in the memory, you need to store them on the filesystem to get loaded there at all (be that automatically on boot or manually).