Adding variables for GET method with curl

php rest curl

17,211

Solution 1

In a GET request, arguments are passed in the "query" section of the URL.

http://www.google.com/search?q=url+query

Arguments passed in this way must be specially encoded ("URL encoded"), because certain characters have special meaning.

Solution 2

Why not to put them in your URL, like this:

$url = "http://mydomain.com/api/user/".$uid."?arg1=value1&arg2=value2";

Solution 3

If you want to put the appKey and appSecret in the GET request's header, use:

$authorization = sprintf('Authorization: AppLogin key="%s", secret="%s"', urlencode($appKey), urlencode($appSecret));
curl_setopt($request, CURLOPT_HTTPHEADER, array($authorization));

Then on your REST server, you can then get the app key and secret from $_SERVER['HTTP_AUTHORIZATION'] via preg_match.

You can also use a basic signature method instead of passing the appSecret each time.

$nonce = sha1(mt_rand());
$signature = sha1("$appKey:$appSecret:$nonce");
$authorization = 'Authorization: AppLogin key="%s", signature="%s", nonce="%s"', urlencode($appKey), urlencode($signature), urlencode($nonce));

Then on the server, first get the values from the Authorization header, then get the secret assigned to the app based on appKey then rebuild the signature using the same method and finally compare the signature sent by the app.

17,211

Author by

Sharon Haim Pour

SOreadytohelp

Updated on June 14, 2022

Comments

Sharon Haim Pour almost 2 years
I'm writing a RESTful API for my webservice.
When I get a request tot the server, first thing I do is checking the appKey and the appSecret.
This is not a problem with POST methods because I can add them to the request as follow:
(This method returns the user's details)
```
$data = array('appId'=>$appId, 
              'appSecret'=>$appSecret,
              'userId'=>$uid);
$url = "http://mydomain.com/api/user/".$uid;
$request = curl_init($url);
curl_setopt($request, CURLOPT_POSTFIELDS, $data);
$result = curl_exec($request);
```
My question is how can I (if it's possible) include the data (appSecret, appKey) in a GET method?

And if not, how can I use a GET method to get user's details and still check the appKey and appSecret on the server?

Thanks!
Sharon Haim Pour over 13 years

I don't want the appKey and appSecret be in the url.
Sharon Haim Pour over 13 years

Is there a way to put the arguments in the $data array?
majelbstoat over 13 years

Then you don't want a GET request. As Chris says above, you should use HTTP Headers.
Sharon Haim Pour over 13 years

How can I use HTTP headers with cUrl?
Chris DuPuis over 13 years

If you're worried about the security of your data (as you should be), it's really not sufficient to put your cleartext secrets in your requests at all. If you're trying to implement access control to your service, there are dozens of existing solutions for handling this. Don't try to invent your own, because cryptographic protocols are notoriously difficult to get right, either in design or in implementation.
Sharon Haim Pour over 13 years

Can you recommend one of these access controls?
Chris DuPuis over 13 years

I would recommend looking into OpenID, which is supported by a lot of different platforms and libraries.