Hi, I am creating website in php that will store user account number, password and broker name (ip), that will be connected automaticaly to mt4 software in same moment user saves data in database. Problem i have now is that user can save invalid data that will cause invalid connection to mt4, and i want to check it to be sure all is valid before connection. Is there any way to connect to broker with php or js, and check if credentials are correct (account number and password) before i store it into database ? Thanks in advance.
You can simulate a browser call with curl, but if that's news to you I'd humbly submit that your programming skills are not yet to the level needed to be collecting PII or working with financial transactions.
Hello Sig, i am familiar with curl and other stuff with php, just problem is that you cannot access broker from http. I opened one .srv file to get broker domain and i get ip from it, but problem is that if you try to access that ip + port there is no any page, so i guess it is using udp or tcp protocol to send requests, which is my other problem that i don't know in what format to send it and there is no any documentation or examples how to do that. For example i used Alpari-Demo which domain is "dc4.mt4demo.alpari.org" and ip "178.255.202.88" with port 443 that is used to communicate with all brokers. So i need to send something like 178.255.202.88:443/username+password and get response back.
You don't see a webpage when accessing because it's not intended to be accessed by a browser. You're either going to need to use the API provided by your respective broker(s) or reverse engineer their authentication protocol. It shouldn't be too difficult. This should be protected via https, which means just using wireshark straight away won't be enough. You'll need to create a new root CA and add the root cert to your OS's root CA store, generate a cert for the domain in question, and then you'll be able to decrypt the traffic. It's just a couple extra steps and should be fine provided the software uses your OS's root CA store. If it doesn't, then you're going to have a bit more digging to do.
Are you out of your Vulcan mind? You are creating a website that stores that critical information to automatically connect to a trading platform which the user already has access to in legacy, using .php? Clearly you should rethink your online security, and what it is exactly you are trying to do. From where it sits now, you're a security leak waiting to happen.
Hello, security is handled already and all data are secured and crypted don't worry about that, and software runs on same server where website is so there is no problem for that, believe me i am using and testing that for a year or more and no problems since then. I never used software like that, i tried but i don't see any useful information that can help me with that. I saw on some forex websites that they have that solved, after you enter data and press save button it hangs for a second then tell you if connection to broker is made. About API i doubt because there is too many brokers to use from all and will be many job to maintain them all and not all have API's. I don't know nothing about reverse engineering, i guess i will need to do more research.
I never used mt4, but I thought that was one of those systems where you log in to mt4 and then mt4 connects to the broker. If you need to connect to many different brokers, then you're going to have quite a lot of work ahead of you. Reverse engineering in this context means looking at the request and response data and trying to figure out how it works / what each field is used for. Often with modern http based systems, they use json with fields named such that it's easier to figure out. Orders of magnitude easier than dealing with proprietary binary protocols with no names/identifiers on them. Like I said, first step is being able to decrypt the traffic, which is going to require creating a root CA and adding it to your OS's store. At that point, you'll be able to decrypt the traffic and actually see the requests and responses. From there, you'll need to determine how it's working. You may see something obvious like a field named username and a field named password being sent and the server responding with something like an authorization token or possibly even something like http status codes indicating success/failure.
Again all due respect but if wireshark is beyond your ability then your perception of the security of your site is probably flawed. There's no way you can simulate a login without knowing exactly what information is exchanged and how in a normal login. You're essentially saying you are unable to use the tool that provides you that information, which means that this task is technically beyond your capability. Again, sorry to be blunt but having done a good bit of this we're talking 101 level knowledge base. I'm a somewhat self-taught programmer so I am sympathetic to diving in and learning as you go as a method. However I'm also very aware of my own limitations and would never! engage in a public project in the broker space without having built up to it to the point that I had a very firm grasp and several successful similar projects in production that had withstood the test of time and release in the wild.