Adding variables for GET method with curl
Solution 1
In a GET request, arguments are passed in the "query" section of the URL.
http://www.google.com/search?q=url+query
Arguments passed in this way must be specially encoded ("URL encoded"), because certain characters have special meaning.
Solution 2
Why not to put them in your URL, like this:
$url = "http://mydomain.com/api/user/".$uid."?arg1=value1&arg2=value2";
Solution 3
If you want to put the appKey and appSecret in the GET request's header, use:
$authorization = sprintf('Authorization: AppLogin key="%s", secret="%s"', urlencode($appKey), urlencode($appSecret));
curl_setopt($request, CURLOPT_HTTPHEADER, array($authorization));
Then on your REST server, you can then get the app key and secret from $_SERVER['HTTP_AUTHORIZATION'] via preg_match.
You can also use a basic signature method instead of passing the appSecret each time.
$nonce = sha1(mt_rand());
$signature = sha1("$appKey:$appSecret:$nonce");
$authorization = 'Authorization: AppLogin key="%s", signature="%s", nonce="%s"', urlencode($appKey), urlencode($signature), urlencode($nonce));
Then on the server, first get the values from the Authorization header, then get the secret assigned to the app based on appKey then rebuild the signature using the same method and finally compare the signature sent by the app.
Comments
-
Sharon Haim Pour almost 2 years
I'm writing a RESTful API for my webservice.
When I get a request tot the server, first thing I do is checking the appKey and the appSecret.
This is not a problem with POST methods because I can add them to the request as follow:
(This method returns the user's details)$data = array('appId'=>$appId, 'appSecret'=>$appSecret, 'userId'=>$uid); $url = "http://mydomain.com/api/user/".$uid; $request = curl_init($url); curl_setopt($request, CURLOPT_POSTFIELDS, $data); $result = curl_exec($request);
My question is how can I (if it's possible) include the data (appSecret, appKey) in a GET method?
And if not, how can I use a GET method to get user's details and still check the appKey and appSecret on the server?
Thanks!
-
Sharon Haim Pour over 13 yearsI don't want the appKey and appSecret be in the url.
-
Sharon Haim Pour over 13 yearsIs there a way to put the arguments in the $data array?
-
majelbstoat over 13 yearsThen you don't want a GET request. As Chris says above, you should use HTTP Headers.
-
Sharon Haim Pour over 13 yearsHow can I use HTTP headers with cUrl?
-
Chris DuPuis over 13 yearsIf you're worried about the security of your data (as you should be), it's really not sufficient to put your cleartext secrets in your requests at all. If you're trying to implement access control to your service, there are dozens of existing solutions for handling this. Don't try to invent your own, because cryptographic protocols are notoriously difficult to get right, either in design or in implementation.
-
Sharon Haim Pour over 13 yearsCan you recommend one of these access controls?
-
Chris DuPuis over 13 yearsI would recommend looking into OpenID, which is supported by a lot of different platforms and libraries.