Some months ago i worked on an iOS(iphone) application that allowed users to create some kinds of events and post them as XML/JSON files to a web server. Then through their device they were able to view events from different users etc.

The idea to build the whole thing was pretty basic. When the application launched for the first time , the application connected to an URL and asked for a user id (which is unique for every user). Then every time the user wanted to post something , we used HTTP Basic Authentication and sent as a header the users id and an XML file which contained all the information about the event created. I never worked on the server side , so i had no idea how secure the whole system was.

A few days ago i started working on an application of mine , which is the same idea , so i first started working on the server side(php). Before i started i wanted to see how secure the previous project of mine was and i was shocked there was no security of any kind. Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that. In this case we used HTTP Basic Authentication.

My question now is , what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML) , and how can i design the sign up mechanism so someone cant create a million ids with a simple script.

I don't want to build a super secure application , but one that at least has some basic kind of security. As i am very new to php , you could give me some links to check on what security mechanisms i should use or even better some tutorials. Also if you developed something like this before what kind of security did you use and what would you suggest?

Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

Use SSL to prevent man-in-the-middle attacks.

So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that.

That's the nature of network communication. Use heuristics to limit the amount of unwanted data. Some examples:

1. A single user_id can create at most one event per second.
2. Let the client sign the request for a user_id and verify the signature on the server.

These are not sure-fire ways to prevent abuse, but there is no total security. The suggested methods will keep out most of the script kiddies, though.

" what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML)"

the only 'real' answer to this is to install a ssl certificate, then use https protocol