Tasselhof Posted June 4, 2009 Share Posted June 4, 2009 Hi, I would like to have something like "API key" on my PHP script. So I would like to use something which recognizes from where the script is being run Let me explain my needs: I would like to call myscript.php?key=APIkey where $APIkey = urlencode(base64_encode($code->encrypt((string)$url, "[secret key]"))); I would like to have variable $url as url where the script calling my script is. So, lets have it like that: 1) My script is on www.example.com 2) I have granted of use to my friend on www.address.com 3) Don't want anybody else to use my script My friend will use something like require("http://www.example.com/script.php?key=APIkey which will work for him, but not for anybody else, because of theirs script is placed on domain I don't allow to use Hope I make myself clear and thanks for answers Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 4, 2009 Share Posted June 4, 2009 If www.address.com is on the same server as www.example.com, then you can use $_SERVER['REMOTE_ADDR']. If not, then it's impossible, I think. Quote Link to comment Share on other sites More sharing options...
Tasselhof Posted June 5, 2009 Author Share Posted June 5, 2009 No, they are not. I was hoping that there is something which will tell the script ... Is there a way to do this? Like, if I hate one server, I am blocking it? Or how to create key which will work just for specified servers? I know that there is function that can show user's IP = is there something like that for server? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 Are you trying to implement communication between two web sites where your site exposes an API or some sort? If that's the case: <?php define( 'AN_API_KEY', 'af292f2ok3j2o3jfo32j' ); session_start(); if( empty( $_POST ) ) { echo json_encode( false ); exit(); } if( $_POST['todo'] == 'establish' ) { // establish connection if( $_POST['key'] == AN_API_KEY ) { $_SESSION['established'] = true; } } if( $_SESSION['established'] !== true ) { echo json_encode( false ); exit(); } $o = new stdClass(); if( $_POST['todo'] == 'getcurdate' ) { $o->curdate = date( 'Y-m-d H:i:s' ); }else if( $_POST['todo'] == 'addnums' ) { $o->result = $_POST['n1'] + $_POST['n2']; } echo json_encode( $o ); ?> Have your friend communicate with your API using an HTTPRequest object, which can easily send POST information and hold a session just like a normal browser. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 Don't use GET for this. GET information is logged in plain text files on the server. That's very bad for sensitive information like keys and passwords. Use POST instead. Quote Link to comment Share on other sites More sharing options...
Tasselhof Posted June 5, 2009 Author Share Posted June 5, 2009 I am afraid I will have to use GET for this To be more concrete. I have PHP parsed XML from my database at http://adresar.bohyne.net/phpsqlajax_genxml.php And what I want to do is, that if there is calling to this XML from server I did not granted acces, that script shows nothing (or empty xml) Reason why I want to do this is, that by local law, I am responsible for user data and should grant users that nobody else will use those data Or, at least, have a list of pages which are using this XML to show data on their web Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 Ok. But has anyone written any code to actually access your XML? If not, then you can make a requirement that they must send the API key via post. I really don't see why you can't force them to POST the data. Quote Link to comment Share on other sites More sharing options...
Tasselhof Posted June 5, 2009 Author Share Posted June 5, 2009 Ok. But has anyone written any code to actually access your XML? Yes, myself Thing is, that this XML is being called by javascript function - to put markers on Google Map in my webpage ... I can redo mine web, but then I need to force my index page to send data via POST at time its loaded (so user just types web page and page itself sends POST request to another script) Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 I do JavaScript posts all the time with Dojo; I'm sure other JavaScript libraries make it very easy to do. JavaScript: dojo.addOnLoad( function() { var error_cb = function( obj, args ) { alert( 'Error with XHR call.' ); }, load_cb = function( obj, args ) { if( obj.success === true ) { alert( 'success!' ); console.log( obj ); } }, xhr = { handleAs : 'json', sync : false, url : '/your_script.php', error : error_cb, load : load_cb } content = { }; content.api_key = 'afowi@kfwfja'; xhr.content = content; dojo.xhrPost( xhr ); } ); Although if you are calling this from JavaScript then the API keys will be in plain sight anyways, so not much sense in trying to hide them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.