I get always Server Response ok 200 even if I give the wrong password and files are not saved on server

1793 views java
0

I am uploading files to my server with a Java class in my Android APP. I am using a simple php Skript to check a password. If I give the wrong password, the file is not saved on the server and I should get 403, but I get OK 200 from the server.

Here is the Java Class

class httpUploadFile {
    private int serverResponseCode = 0;
     int uploadFile(String upLoadServerUri, String uploadFilePath, String uploadFileName,String pfad) {
            String sourceFileUri=uploadFilePath + "" + uploadFileName;
         HttpURLConnection conn;
            DataOutputStream dos;
            String lineEnd = "\r\n";
            String twoHyphens = "--";
            String boundary = "*****";
            int bytesRead, bytesAvailable, bufferSize;
            byte[] buffer;
            int maxBufferSize = 1024 * 1024;
            File sourceFile = new File(sourceFileUri);
         if (!sourceFile.isFile()) {
             Log.e("uploadFile", "Source File not exist :"
                     +uploadFilePath + "" + uploadFileName);
             return 0;
         }
            try {
                FileInputStream fileInputStream = new FileInputStream(sourceFile);
                String fulluri=getUrl(upLoadServerUri,pfad);
                URL url = new URL(fulluri);
                conn = (HttpURLConnection) url.openConnection();
                conn.setDoInput(true); // Allow Inputs
                conn.setDoOutput(true); // Allow Outputs
                conn.setUseCaches(false); // Don't use a Cached Copy
                conn.setRequestMethod("POST");
                conn.setRequestProperty("Connection", "Keep-Alive");
                conn.setRequestProperty("ENCTYPE", "multipart/form-data");
                conn.setRequestProperty("Content-Type", "multipart/form-data;boundary=" + boundary);
                conn.setRequestProperty("uploaded_file", sourceFileUri);
                dos = new DataOutputStream(conn.getOutputStream());
                dos.writeBytes(twoHyphens + boundary + lineEnd);
                dos.writeBytes("Content-Disposition: form-data; name=\"uploaded_file\";filename=\""
                                + sourceFileUri + "\"" + lineEnd);
                        dos.writeBytes(lineEnd);
                // create a buffer of  maximum size
                bytesAvailable = fileInputStream.available();
                bufferSize = Math.min(bytesAvailable, maxBufferSize);
                buffer = new byte[bufferSize];
                // read file and write it into form...
                bytesRead = fileInputStream.read(buffer, 0, bufferSize);
                while (bytesRead > 0) {
                    dos.write(buffer, 0, bufferSize);
                    bytesAvailable = fileInputStream.available();
                    bufferSize = Math.min(bytesAvailable, maxBufferSize);
                    bytesRead = fileInputStream.read(buffer, 0, bufferSize);
                }
                // send multipart form data necesssary after file data...
                dos.writeBytes(lineEnd);
                dos.writeBytes(twoHyphens + boundary + twoHyphens + lineEnd);
                // Responses from the server (code and message)
                serverResponseCode = conn.getResponseCode();
                String serverResponseMessage = conn.getResponseMessage();
                Log.i("uploadFile", "HTTP Response is : "
                        + serverResponseMessage + ": " + serverResponseCode);
                fileInputStream.close();
                dos.flush();
                dos.close();
            } catch (MalformedURLException ex) {

                ex.printStackTrace();

                  Log.e("Upload file to server", "error: " + ex.getMessage(), ex);
            } catch (Exception e) {

                e.printStackTrace();

                Log.e("Upload file Exception", "Exception : "
                        + e.getMessage(), e);
            }

            return serverResponseCode;
        }
    private String getUrl(String BASE_URL,String pfad) {
        String token = getToken();
        String key = getKey(token);
        return String.format("%s?token=%s&key=%s&pfad=%s&", BASE_URL, token, key,pfad);
    }

    private String getKey(String token) {
        return md5(String.format("%s+%s", "wrongpassword", token));
    }

    private String getToken() {
        return md5(UUID.randomUUID().toString());
    }

    private static String md5(String s) {
        MessageDigest m = null;
        try {
            m = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        assert m != null;
        m.update(s.getBytes(), 0, s.length());
        return new BigInteger(1, m.digest()).toString(16);
    }
    }

and here is the PHP

<?php
$shared_secret = "password";    
$key = $_GET['key'];    
$token = $_GET['token'];    
$pfad = $_GET['pfad'];    
if ($key != hash("md

answered question

1 Answer

6

HTTP 200 means transmission is OK on the HTTP level,that is to say, request was technically OK and server was able to respond properly.

200 doesn't judge whether your business logic is true or false, so even password is wrong, only if http communication between server and client is normal, 200 will be returned.

Generally we respond with HTTP 5xx if technical or unrecoverable problems happened on the server. Or HTTP 4xx if the incoming request had issues (e.g. wrong parameters)

Your backend server should do above judge.

posted this

Have an answer?

JD

Please login first before posting an answer.