+1

What can you teach me about APIs, POSTing, headers, and the like?

thillsman 7 years ago updated by John Heryer 7 years ago 1
Ok, so I'm diving into the awesomeness that is PHP and APIs and such, and I've recently built a app that (among other things), passes values to a php file which stores the values in a SQL database through GET parameters in a URL (like http://domain.com/adduserdata.php?name=[var:name]&email=[var:email] )

It's pretty slick. (I create a tiny invisible web tag and navigate to this URL, where the php script takes the parameters and inserts them into a SQL database.) However, I'm thinking of more and more uses for it and I'm starting to think about security. What are the implications here? I'm sure I shouldn't pass a raw password via URL parameter, but is passing an encoded password ok?

Also, is there a better way to do this? (Meaning, should I use a datasource tag instead of a hidden web tag?) Can I use something like the postFile attribute or a httpheader? Will modifying the httpmethod attribute help me? I don't have a particular use case in mind, I'm just asking to beef up my knowledge of this little corner of WIRE and open up some more doors.
Do not hard code any authentication credentials in the wire and make sure all requests go over SSL.

Technically if you are managing the remote service you can pass the user credentials anyway you want. You can put them as url parameters, http header parameters or the post body of the message. There are obviously best practices and different authentication models have their way of doing it.

Three auth models we commonly deal with (ordered by difficulty):
-basic auth
-session based authentication
-oauth