Sending info through API - php

I don't know the proper way to say this, so here is my issue.
I am dealing with an API that sends information to the server, from either web form or whatever in this format:
http://server/non_agent_api.php?source=test&user=6666&pass=1234....
with a bunch more parameters.
Normally, I have dealt with API's that just send it with SOAP or REST, not in a URL like that. My question is how do I send that information using php or something. So if I wanted to take in a username and password from a webform, how do I send that link to the server without clicking on the URL itself.
I hope that makes sense. Thanks for the help.

You can use curl for that like,
Read curl(), here you can find a class which can be easily used.

In PHP use
header("Location: TARGETURL");
Create the TARGETURL using the information sent from the form.
The Location Header makes the server to generate 302 Moved temporarily HTTP return code. The browser then sends the user to the TARGETURL transparently without any further interaction.

Related

Checking script caller

I wrote a API for a system. It is a PHP file, which is called with some parameters. It is called like this: "https://abcdefg.de/api/api.php?test=test". This script returns sensitive data when it is called. To make sure only the right api users get the information the parameters has to contain correct credentials.
To make the api more secure the idea was to check in addition who is calling the script. For example only the website "https://test.de" should be able to call the api script. But how to achieve this in PHP? How to check what is the url of the "caller"?
I already tried $_SERVER['HTTP_REFERER']; but I read that it can be easily manipulated and in our case it returns always null, because we use https instead of http.
Is there a solution to our problem?
Thanks in advance,
Filip.
HTTP_REFERER will not be working in real with API, it's related to the form submitted from another page or website, in case this is the situation this is called cross-site request forgery, the solution here is to create a token in every rendered form and send it with the submitted data, from the backend, you will validate this token (most of the time is saved in the sessions), you can check it

POST to page on website and only accept if data is from the same url?

I'm working on a simple contact form right now that will just post to a /contact endpoint and update a message via ajax if success or failure. I plan on having other forms such as account settings work in this sort of way too so I can avoid having to refresh the page. I'm new to working with ajax and creating my own api's so any help would be awesome.
Basically what I want to do right now is verify that the post request/body is being sent from my website and not an external source. I thought about just checking the url with PHP but I'm not sure if this can be spoofed. Any help would be great, thanks!
One method is to create a unique ID/GUID when the form is created, embed it in the form (hidden field, JS var), and also store it to $_SESSION. When your script is called via AJAX, pass this value in the AJAX call, and then compare it on the server side. That way, you not only know it came from your page, but from the same session.
To check this things security i would pass a hash generated on the client (with certain rules) and check if the hash is valid on the server php endpoint. You can use $_SERVER["HTTP_REFERER"] to check if the domain matches but that can be easily spoofed and sometimes it may actually not even be available. I hope i answered the question. This is what i understood you were asking.

How to detect if the call is made through jQuery

I use
$.post('ajax/test.php', function(data) {
$('.result').html(data);});
to send data and retrieve information and show it to the user. But "hackers" can access my file (test.php) just typing it in URL. Is it possible to detect if the call is made from jQuery or not?
Is it possible to detect if the call is made from jQuery or not?
Yes, but the same "hackers" can as easily fake a jQuery call. There is no reliable way to detect whether a call was made from jQuery, or using other means. Anybody can make a request to a resource.
If you have sensitive data on the web, you need to protect it using classical means like a user login, HTTP basic auth, or IP limitations - just like a normal web page.
Check the referrer on the server side. If not from your host, reject.

how I can give my credentials with get_contents? php

I have looked at some examples and they use Curl in php etc but I just want a simple command that passes my credentials to a site so it can login and give me access to download a file. Current problem is when I try to use get_contents I get stuck at login page because it needs a login before it can allow a download so isnt there a way to send my login info before get_contents in php? Thanks
for example we can assume the website is located at www.confluence.com
You're out of luck. file_get_contents() can only get content, hence the name. You can try to authenticate via the get syntax for standard authentication, like http://username:password#example.com.
If you have to post your credentials via HTTP POST, you'll have to use curl.
The problem is that when you log in the server send to your browser a cookies that your browser automatically stores.
With file_get_content() you can actually pass cookies ( the third context parameter of file_get_content() can handle this).
Have a look at stream context create.
By the way, you need to first send your login info to the login page (with curl), when you recive cookies back, pass them as option to file_get_content() and the trick is done.
If the server is using a login system different from cookies let us know, so we can help you

Can i make POST after a POST is submitted?

What I'm trying to do is:
I have a form. I submit that form. In the code of the target script I want to make some validations. In a certain case, I want to make a POST to another URL. I don't want to just make a redirect to an URL.
I don't know if this is possible, that's why I'm asking.
I'm working with PHP.
Thanks!
To the people who suggested cURL: Building a request like so will send the data on behalf of the server not the client. I don't think he wants that.
He wants POST forwarding and that, if it were to exist (and I don't think it does), should be implemented by the browser.
What I suggest is to use an AJAX call to make the validation before posting. And then depending on the response you choose the destination for posting (on the client side).
To summarize: You request a validation from the client. You do that validation on the server. You send back instructions to the client. You post according to the instructions received from the server.
I'm not sure if you understand this, but any details of requests made by the user(client) are known in full by him. You can't make him POST to an URL, have a password in that POST, and not have access to that password.
Note: If it's easier you can read JavaScript and PHP instead of client and server.
It is definitely possible. You could use the PHP cURL library to easily create a POST request. But this might be overkill for what you are trying to achieve. Is it a possibiity to do the validation in JavaScript and change the form action attribute with JavaScript after submitting?
In what case would you need to post it to another PHP file.
Couldn't you simply use IF statements to redirect the script to another script depending on the results of the validation?

Categories