I have a simple PHP API. I just used cURL for the Client and $_POST to accept the requests at the Server side. Something like ..
Client:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.example.com/api-server");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('q' => 'world!'));
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER , 1);
$response = curl_exec($ch);
curl_close($ch);
echo json_decode($response);
?>
Server:
<?php
echo json_encode("hello, ".$_POST["q"]);
?>
My questions here are:
Am i even still following the standard API logic anyway?
How to "PROTECT" this API Server Access?
Okay i found it here for what i asked above:
http://php.net/manual/en/features.http-auth.php
It simply used, for API page:
if ( $_SERVER['PHP_AUTH_USER'] == $MY_API_USER && $_SERVER['PHP_AUTH_PW'] == $MY_API_PW) {
..
..
} else {
header('WWW-Authenticate: Basic realm="Sorry, this API is protected. You may need a valid authentication."');
header('HTTP/1.0 401 Unauthorized');
exit;
}
At the Caller/requester end, add this two lines into the cURL calls:
..
curl_setopt($ch, CURLOPT_USERPWD, $MY_API_USER.":".$MY_API_PWD);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
..
Thats simply all, for me.
Dont try & write an API engine, these are industry standard. Look at Soap or REST.
Here are some of the libraries out there that will do all the heavy lifting:
Soap server http://framework.zend.com/manual/2.0/en/modules/zend.soap.server.html
Soap client http://framework.zend.com/manual/2.0/en/modules/zend.soap.client.html
Rest server
Rest client
Then to protect these you could use basic http protection, through to OAuth etc
While there are well defined communication protocols such as HTTP, and transport formats such as JSON, the actual implementation of a API architecture is left to the developer.
Many existing tools, from complete frameworks to modular components, exist to assist in the construction of an API layer, but at the end of the day you need to build something that works.
If you need a server, focus on the server, and focus on an implementation that adheres to standards when available, and best practices otherwise; including facets such as resource architecture, authentication, and so forth.
Right now, you're spewing out some query parameter concatenated JSON. I doubt that's the intended final result, unless you're after an echo server.
Model your API after a service, or domain model; expose methods and properties as resources of your API layer.
Addendum: Oh, and as for "protection"; the already mentioned techniques of HTTP Basic or OAuth are good candidates, but as is the core of my answer: it depends on what you need.
Related
I am currently working with php-curls and I had a question on an example I was looking at, the code is below.
$url = "https://my.test.api";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Content-Length: 0' ));
$result = curl_exec($ch);
The question I had is, on the line curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");, what would be a benefit here of using POST vs GET, if that is a thing. I understand the difference between the two just not the case of using it in this situation.
Coming from the PHP-manual (http://php.net/manual/en/function.curl-setopt.php)
A custom request method to use instead of "GET" or "HEAD" when doing a HTTP request. This is useful for doing "DELETE" or other, more obscure HTTP requests. Valid values are things like "GET", "POST", "CONNECT" and so on; i.e. Do not enter a whole HTTP request line here. For instance, entering "GET /index.html HTTP/1.0\r\n\r\n" would be incorrect.
Which does not really make much sense to me.
If you are working with a REST api, a truly RESTful service will use HTTP semantics for what it is doing. You GET data that already exists. You POST new data. You PUT changes to data. You DELETE data.
Now, as far as actually working with an API, you can indeed use cURL for all 4 methods. However, it is often much easier, simple, and less code to use file_get_contents() for GET requests, IF your PHP install allows HTTP(s) URIs for the various fopen and related functions.
I am getting back into programming after being gone for 20 years. A lot has changed! lol...
I have a NodeJS server setup on Heroku for my mobile app. I am trying to add an event on my server that will add new user info to Pipedrive.com using their API.
They have only written their API examples in PHP. So I'm trying to translate PHP to Javascript, while also learning NodeJS, PHP, and understanding Pipedrive's API all at the same time.
They pointed me to Tonicdev which has been epically useful in getting my javascript syntax down. Since that uses live Pipedrive data when I add my token, I can do all my testing there too, before trying to upload and test on my actual Nodejs server. So that's handy!
But I'm still trying to get a grip on what's happening in their API code. This is my first time to implement an API by myself.
Here is the page I am trying to translate:
http://support.pipedrive.com/hc/en-us/articles/206679239-Creating-a-deal-using-the-REST-API-and-PHP-full-working-example-code-
I don't need the organization. Just the person and the deal.
In my create_person function, I found this php:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $person);
$output = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
My questions are:
What is curl_init and curl_setopt?
Do I need them in my Nodejs script file for this?
If not, what javascript do I use in their place?
Thanks for your patience. Learning a ton here!!!
curl is a PHP library that handles making requests.
In this case curl_init() is initialising a new request and curl_setopt is setting certain options.
You'll want to replace curl with an equivalent library for NodeJS. The request module is pretty good for this, although there's plenty of other options too.
I am trying to delete a member of chat room from XMPP server via php. I am using curl request for that.
I am following this documentation:
https://www.igniterealtime.org/projects/openfire/plugins/restapi/readme.html#delete-a-user-from-a-chat-room
$url = "http://188.***.***.***/plugins/restapi/v1/chatrooms/".$roomName."/members/".$userJID;
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, array("Content-type: application/xml", "Authorization : ******")); //I am using plugin.userservice.secret key here
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "DELETE");
$json_response = curl_exec($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
It should return me http response 201, but I am getting login form of server in response or 401 (unauthorized user).
I am trying to do this since last one week, but did not get any solution of this till, please help me.
Thanks in advance for your kind support.
Please note that this question if very specific: it relates to a specific XMPP server implementation (Openfire) and makes use of a proprietary, non-standard interface (its REST plugin). The fact that you're making use of an Android environment, PHP and/or cURL is irrelevant.
When you receive 401 responses, then there is a problem with authentication.
As Roman points out in a comment below, you're using the wrong documentation. Use this instead!
Two other observations that Roman made (out-of-band):
There's a surplus space character in "Authorization :" It need to be "Authorization:"
The property that you should use is plugin.restapi.secret, not plugin.userservice.secret.
Since this question is already well answered but I will like answer for Android specific context so other user coming to this question can find an alternate way.
There is a library for RestApiClinet for android here. You can integrate it directly as android module. Here is an app already using it. You can also have a look on this client library written in php.
I'm experimenting with some basic AuthSub authorization to test out the Google Data API (I'm interested in using the Picasa API). I'm having trouble getting my head around the steps involved in going from requesting the authorization token, to getting the URL with the token, to actually making requests to the server using the token.
Can someone please give me an idea of how I would take the token and then make a request to the server using PHP? Will there have to be Javascript involved?
Also, on a super basic level, when the Google example spells out the following, what language is it, and where would it actually appear like this in code?
GET https://www.google.com/accounts/accounts/AuthSubSessionToken
Authorization: AuthSub token="yourAuthToken"
Thanks for the help, and I'm happy to clarify since I understand these are broad questions.
GET https://www.google.com/accounts/accounts/AuthSubSessionToken
Authorization: AuthSub token="yourAuthToken"
This is the HTTP request that you should be making, and the example above means that you should include the Authorization field in the headers of an HTTP GET request that you will be making, independent of the language.
You can use PHP's cURL to make this request,
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com/accounts/accounts/AuthSubSessionToken");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); # return output as string instead of printing it out
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: AuthSub token="yourAuthToken"');
$response = curl_exec($ch);
Where is the code that you are using so far?
I want to integrate the services of escrow.com in my PHP site.
How would you get started with this goal, and what APIs provided would be the basic functionality? Do you have any PHP specific advice or gotchas? Would you recommend another service provider?
I'm working on an API project with this Company at the moment. I know looking at the documentation it all looks a little daunting, however, you can get away with making it as simple as a small cURL request.
I'd suggest starting with the "New escrow transaction" example provided, and build your request using the provided XML they offer, amended with your details.
Assign the XML to a variable, and pass it through a curl request similar to the below;
// Initialise your cUrl object
$ch = curl_init('https://xml.Escrow.com/Invoke/Partners/ProcessrequestXML.asp');
//set your cURL options
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "\$xmldata=".urlencode($xml));
//Start your cURL Transaction
ob_start();
//execute your cURL object with your parameters
$result = curl_exec($ch);
//set the returned info to a variable
$info = curl_getinfo($ch);
// close the transaction
curl_close ($ch);
//get the contents of the transaction
$data = ob_get_contents();
ob_end_clean();
//optional; Redirect to a specific place
header("Location:".$url);
The only advise I can offer is to read through the documentation carefully, and always check the values you are passing in.
Where possible, it is also a good idea to segregate the API functions into their own class, this will make maintenance and troubleshooting, as well as testing the functionality that much easier.
This is the first time I hear about escrow, but a quick scan of the site gives me:
this contact form to get more info:
https://escrow.com/contact/sales.asp
A FAQ:
https://www.escrow.com/support/faq/index.asp?sid=8
www.Transpact.com offers a similar but lower cost service.
It is also UK Government (FSA and HMRC) registered.
It offers a simple SOAP API for easy integration into your website.