one of my vendor he is asking a posting page where he can send some varaibles from his portal which is in asp.net.
My website is in php. what posting page i should be providing him and how to fetch whatever he is sending.
You may disable the CSRF validation (if you have any) to achieve this task.
However the standard way is to create webservice to achieve this goal.
The best and easiest API to implement is RESTful.
Here is reference to that:
How to create a simple REST API in PHP
Creating a simple REST API in PHP
It doesn't matter what language the vendor use or what you use...
He need to you to specify him what is your script URL that you allow him and expect POST request from him to do what he need.
If it's from his server side (for example in PHP we use curl),
so he need to use asp.net way to post request...
maybe this will help him how to do it
How to make HTTP POST web request
If he doing those request from client side (ajax),
so he can use jQuery http://api.jquery.com/jquery.ajax/
and in your side to allow in the php script the "access control allow origin"
see:
how to bypass Access-Control-Allow-Origin?
Related
HTML page has a submit button. On clicking the button, the 4 APIs has to be called. All the 4 APIs are linked to each other.
For instance, the first API is used to get the access token. And the token is passed in the second API to process the GET request.
I am new to REST APIs and not sure whether it's easy to call via HTML or better way by using PHP.
You want to use, not to implement API.
You should decide first on which side (server or client) it should be implemented.
On server side you do requests on your behalf. You are responsible for them. They are done from your IP address. But you can hide API address from client, you can cache response or control this process somehow. Use PHP cURL extensions for that.
On client side, requests is performed by end user, from his IP. Read How to enable cross-domain request on the server? to learn about requests to different domains. Search for AJAX. Probably, use some library like jQuery to write less code.
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
I am currently building a shopify app which I have also built an API along side it. I am wanting to somehow make sure only certain website's have access to the API. I was thinking of checking the origin or refer but these can easily be faked in a HTTP request. I also thought of giving each website an access token of some sort but then they could give this out to other websites to then use the API?
So my question is, what is the most secure way to check where the request has come from?
I am wanting to build an API first RESTful application in PHP. I have never attempted to do this so I have some questions about how to handle PUT and DELETE
So for an example if I have a API endpoint that updates a User profile, should I make it accept BOTH a POST and PUT Request?
If I was building a Client for my API as a Desktop app or iOS app, etc it would be easy to send a PUT request to my API but I plan to have a Web based app for my API as well.
So on my web based app, I would have an HTML Form to Update a User profile, this would then be sent as a POST as HTML Forms do not allow PUT requests.
Could someone with more experience with this explain the best way to handle my example scenario?
Would the proper way be to send my Form as a POST to my PHP script, then my PHP script would make a proper PUT request to my PHP API with cURL?
You can absolutely also do PUT requests from browsers, but you need javascript.
Generally I would say a good way to think about it, is as follows:
First build a great REST api that follows all the rules. Only once you are at that point, think about the workarounds you need to make it work in other contexts. Submitting an HTML form is a valid thing to need a workaround for.
However, since 'POST' is completely open for interpretation, and has little rules associated, one option would be to create a single resource (or url) on your server that handles all the POST requests coming from browsers. (something like /browserpost).
You could always add a hidden <input> field with name="url" that specifies which resource was actually intended to be updated, and an <input> with name="method" value="PUT" for the intention.
You will need to add CSRF protection anyway, so I feel this would be a solid way to deal with this this. 1 endpoint to specifically 'proxy' html-based form submissions and internally do the appropriate mappings to the correct REST services.
I would use GET POST PUT DELETE as they are described in HTTP. That's restful (in my opinion). As regular browser forms does not support this I would send the data via AJAX.
If you really need to use browser forms, maybe because javascript is not enabled, then using POST requests with a param like ?method sounds like a suitable solution - although I don't like it.
I need a background process to be an API over a URL.
For example, the url http://www.msite.com/myapi.php will read incoming protocol and reply.
What is the best way to accomplish this scenario?
Should I just treat this as a regular web page?
What are the pros/cons for using a web page url as an API?
You should implement this as REST service. Check this URL out.
You need to create a proper controller (in case you use MVC approach) and implement proper methods corresponding to your API (HTTP request methods are very important topic here).
Just to illustrate, I allowed myself to paste code from URL I embedded here:
GET request to /api/users – List all users
GET request to /api/users/1 – List info for user with ID of 1
POST request to /api/users – Create a new user
PUT request to /api/users/1 – Update user with ID of 1
DELETE request to /api/users/1 – Delete user with ID of 1
Just to notice, you can also use different approach like XML-RPC or SOAP.