Jump to content

Secure API and JSON to show content on another domain?


Recommended Posts

Hi Guys,


I'm new to this API and JSON stuff so bare with me. Is there any source code available that allows me to start off building an admin panel on site A where users can't get the source code from the site once they log into site A admin panel. I heard that JSON can do this.


Also is there a simple Secure API source code that allows site A to show content on site B (another domain)? I don't want to use iFrames as i want to be able to edit the content on site A for site B to automatically be changed when it's saved. Also another site (site C) to have their own content thats different to site B.


What i'm really looking for is the full source codes with steps by steps on how to change this the way i want to change it. I've searched online for 2 weeks now and am still struggling to find anything and how to implement it. Even with REST. Can you please advice me on this with any helpful solutions.


I hope this is clear enough.



Link to comment
Share on other sites

Thats why i'm here. I know it's going to be implementing bits by bits of different programming languages and was hoping to see if there is a quick solution for each of those parts that will help me on my way to what I want to do.


As I have said, I'm new to API's and JSON. I was really hoping to be guided on how I can go about this with any quick solution to generate the codes if possible (which would be a bonus but unlikely). I also want to see what is the best options for each one especially the kind of API's to use as well as if JSON is the right secure solution for this project or if there are other choices that would be recommended.


Just to note that my main skills are html, php, css, javascript, sql.

Edited by Cobra23
Link to comment
Share on other sites

There is no quick solution and no step-by-step guide. You'll actually have to write the code yourself.


I'm also not sure why you're so obsessed with JSON. That's just a data format, it doesn't do anything. Whether you use JSON or XML or whatever is an implementation detail and completely irrelevant at this point. You can worry about it later.


I'd approach this problem top down. That is, you first need to know what you want. Since your initial description is very vague, I'm not sure if that's the case. The next step is to come up with a sensible high-level architecture. Who provides data for whom? And finally you take care of the implementation.


You seem to have it backwards. You're throwing around buzzwords like “REST” or “JSON”, but there's no clear goal beyond “site B shows content from site A” (which applies to roughly 99% of the WWW).


And some parts of your description don't really make sense. You've said you don't want your admin users to see your code. What code? And why would they see it?

Link to comment
Share on other sites

Am going to write a summarized version how can make an api with what you asked.


Make a directory named api, in apache config create a new virtualhost for it

Replace the word domain to yours and be sure to restart apache

<VirtualHost *:80>
        ServerName api.domain.com
        DocumentRoot /var/www/api
        <Directory /var/www/api>
            Options +Indexes
			allow from all

If want ssl get a certificate and also add this, save your cert under ssl directory

<VirtualHost api.domain.com:443>
	ServerName api.domain.com
	DocumentRoot /var/www/api
        <Directory /var/www/api>
            Options +Indexes
			allow from all
	SSLEngine on
	SSLCertificateKeyFile /etc/apache2/ssl/api.domain.com.key
	SSLCertificateFile /etc/apache2/ssl/api.domain.com.cert
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


Create an index file in the api directory, this will be used as your api front door (api.domain.com)

The api will use REST and GET parameters or w/e CRUD design you come up with


You should have a cms, user accounts.

Create a system that generates public and private keys and ability to create new ones, save keys to a database each users account.

Create a form that users can allow or deny ip's or domains,subdomains, save those to a database under that user or even script/service specific each users account.

The client would connect over a http request

They would be using GET parameters in the url

Designate what script to access, the public or private key can determine or limit what that clients actions can perform...such as CREATE,EDIT,DELETE for private keys, the format type of the output, any other parameters needed.


Obtain the clients ip

$remote_ip = $_SERVER['REMOTE_ADDR'];
if (strstr($remote_ip, ', ')) {
    $ips = explode(', ', $remote_ip);
    $remote_ip = $ips[0];

Can do a query using the supplied access key to associate to that user and their allowed ip's or domains.

Is the key valid? if not deny them, if so you now know the user

If want to check a domain, can use gethostbyaddr and discover their domain.

Is the ip or domain not in their allowed list or in a disallow list? if so deny them


Can place any additional checks you want into this, such as a credits system, suspended,banned and so on.


You would hold all the data in an array, doing checks as you go along, if is an error then deny access, can show whatever messages desire in the output.


Through the api you can use various header fields

You can do multiple format outputs as a GET parameter, setting json as default if does not exist in url


Here is an example how I do mine:

//check format
if (isset($_GET['format']) && trim($_GET['format']) != '') {
    $format = trim($_GET['format']);
} else {
    $format = "json";

$format_array = array(
if (!in_array($format, $format_array)) {
$errors['format'] = "Improper format used";
    $format = "json";

I incorporate a few switches, one to determine which script to include depending the service required via url

Another switch would be to determine the header type for output

switch ($format) {
    case 'json':
        header('Content-Type: application/json; charset=utf-8');
        echo json_encode(array(
                'data' => $array
    case 'xml':  
header('Content-Type: text/xml; charset=utf-8');      
//build your xml document and tree structure
    case 'html':
//create html document and data

    case 'iframe':
//show iframe content

If all checks passed the appropriate script would be included, should not allow any other domain to access it unless was allowed by that user.

Tracking and usage can be added by a simple hit counter if all the checks passed and actually used.

Link to comment
Share on other sites

  • 3 weeks later...

There's no need to re-invent the wheel:

APIgility provides an API out-of-the-box.

RESTler transforms your classes into REST objects.

DREST does the same thing but for Doctrine entities.


If you use Symfony, you can add the SyliusResourceBundle which is similar to DREST as it provides CRUD for Doctrine entities.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.