I am running a server which runs main website e.g. http://www.mywebsite.com and another server which holds all APIs lets say. http://api.mywebsite.com. Both of these are built using different technologies.
What I currently do is make a cURL calls to access data from APIs from api.mywebsite.com on www.mywebsite.com but its going very heavy on page response times on www.mywebsite.com.
So I am planning for an alternative a library or something which can help to make similar calls but with lesser resource consumption.
PS: I make GET/POST/PUT/DELETE requests to server so can't use something that only provides GET.
Why don't you access the data directly off the database?
Have you tried caching with MemCache or Redis?
Related
I'm making a game in Unity which makes use of a remote MySQL database, hosted on a web server. Although it's entirely possible to communicate with a database directly from Unity/C#, I'm also aware of how easy it is to reverse engineer the app in order to find any hard-coded authentication information (such as URLs, passwords, etc)... So, because the server is a web server and not a VPS, that means that all database connections and modifications would need to be done via server-side scripting.
But the client app would still need to make requests to the web server, where some PHP scripts would handle the requests and perform the appropriate actions. So using a url with a php query string still revisits the original hacking issue, and even using HTTP GET/POST requests can easily be packet-sniffed without any decompilation of the game.
So unless I'm missing something, does the most secure way to do this involve a mixture of direct HTTP GET/POST requests, where the data is somehow encrypted/obfuscated? Maybe via HTTPS instead of HTTP? Or is there an even better way to do this?
Expose a RESTful API over HTTPS
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
I've successfully managed to use POST to run a PHP script on my website, which allows the phone application to add a new entry to the database (MySQL), and delete an entry.
The next step is the one I have been struggling with for the last few hours now, and that is getting the information FROM the DB onto the phone!
I would like a method that initially just connects to the DB upon starting the activity and populating listview or something will all entries, and later down the line I plan on copying the information to a SQLite DB within the phone.
What is the easiest method I can look into for achieving this?
I can be resourceful but I just need to know what I'm looking for!
you have many options.
higher level abstraction over HTTP (REST/SOAP/etc) like already mentioned
HTTP as a proxy for plaintext/CSV data (without abstraction)
a direct JDBC connection from android device to the MySQL
database data export/import
I guess you're looking for option 3. That is syncing a remote database to local (SQlite on android) and then working with local data? In this case you just get a mysql-client jar (JDBC drivers) into your app and you can start. There're some restrictions though, like Sébastien Renauld already mentioned in the comment. Yet, those issues can be worked around, i.e. with custom configuration of MySQL or with option (2) which can be implemented in generic way (write once)
In general you need to create server API: choose some format to talk to between your web service and android application.
Then you'll always be need to request some data from server, that will be returned to you in format described above in a body of network response of some sort.
Next all you need is parse this data and populate to your adapters or whatever.
Note that networking operation might take quite some time depending on your connection, so you can't wait while it ends to show your UI - you need to do this in async manner, and give user a feedback that data is retrieving.
Nowadays json format passed in body of http post requests are quite popular. Take a look at this tutorial on how to parse json on android and this video about how to create json api in php.
Of course you can try to connect to remote MySQL server directly.. It really is more simple solution in some cases (you don't need to code server-side api), but might be not so accessible because standard MySQL ports aren't opened in all networks. Also your API server might hide some implementation details on how is data stored in reality, thus allowing you to migrate for example from MySQL to PostgreSQL without pain for android application.
Don't forget to secure your data from unauthorized access!
EDIT
It's 2017 and what would be the easiest option now is to use opensource project which will provide rest api for your database, for instance ArrestDB or postgrest
I personaly had to develop this following REST API Service (based on Laravel framework, which I call it lRapi) for an iOS and Android devices, and works great (the version in use for the apps, is much more complex).
https://github.com/w0rldart/lRapi
There are plenty Models and Controllers there that you may use to get started. Responses are JSON formatted, with proper headers.
I still have to add some more documentation to it, but there is some on the main example view, which you may access by just setting the virtual host and opening the root page in browser.
Laravel is a MVC PHP Framework, and it's really easy to get used to it.
This a good way to avoid to do most of the work, and just focus on implementing what else you need.
I have an application that retrieves some info and give them to user from a certain public website. However, i am not sure whether i should let my app immediately connect to the target website or it should get the info through my web server using a simple PHP script (JSON).
Actually I am using Jsoup to get the information and I tried both and they worked perfectly ( immediate and PHP) using Jsoup. However, I have not published my app yet due to the confusion aforementioned.
Use the web service. If your client has logic to parse the HTML, it can break when the web page changes. The web service can absorb this change and make corrections, but your client cannot. Not unless you release another version of your app, and that can be a pain.
I have already heard about the curl library, and that I get interest about...
and as i read that there are many uses for it, can you provide me with some
Are there any security problems with it?
one of the many useful features of curl is to interact with web pages, which means that you can send and receive http request and manipulate the data. which means you can login to web sites and actually send commands as if you where interacting from your web browser.
i found a very good web page titled 10 awesome things to do with curl. it's at http://www.catswhocode.com/blog/10-awesome-things-to-do-with-curl
One of it's big use cases is for automating activities such as getting content from another websites by the application. It can also be used to post data to another website and download files via FTP or HTTP. In other words it allows your application or script to act as a user accessing a website as they would do browsing manually.
There are no inherent security problems with it but it should be used appropriately, e.g. use https where required.
cURL Features
It's for spamming comment forms. ;)
cURL is great for working with APIs, especially when you need to POST data. I've heard that it's quicker to use file_get_contents() for basic GET requests (e.g. grabbing an RSS feed that doesn't require authentication), but I haven't tried myself.
If you're using it in a publicly distributed script, such as a WordPress plugin, be sure to check for it with function_exists('curl_open'), as some hosts don't install it...
In addition to the uses suggested in the other answers, I find it quite useful for testing web-service calls. Especially on *nix servers where I can't install other tools and want to test the connection to a 3rd party webservice (ensuring network connectivity / firewall rules etc.) in advance of installing the actual application that will be communicating with the web-services. That way if there are problems, the usual response of 'something must be wrong with your application' can be avoided and I can focus on diagnosing the network / other issues that are preventing the connection from being made.
It certainly can simplify simple programs you need to write that require higher level protocols for communication.
I do recall a contractor, however, attempting to use it with a high load Apache web server module and it was simply too heavy-weight for that particular application.