stackoom
  简体   繁体   中英

Created my own PHP API

 原文  2017-03-23 08:54:03       php/ api

Question

Hello StackOverflow community

Currently I'm in small project, where a API is required. I tested some SOAP WSDL and restFul API's, but none worked for me. So I created my own API. As I'm not a professional programer, I want to know if my API is unsafe. 

<?php

class API{

public function __construct(){
    if($_SERVER['REQUEST_METHOD'] === 'POST'){
        if(!empty($_POST)){
            $data_array = array();
            require_once('PreparePOST.php');
            foreach($_POST as $key => $value)
                array_push($data_array,array($value => $key));
            echo new PreparePOST($data_array);
        }else{return new Exception('No Data Requested');}
    }else{return new Exception('Request not allowed');}
  }
}$init = new API();

?>

Some serious validation and security stuff is done after PreparePOST($data_array);
Eg only allowed parameters and character escaping.

Notice: This is only the POST implementation the GET implementation and an API Auth Token will be available later.

  • What are you thinking?
  • Is this compete nonsense?
  • Where are possible security issues?
  • How can I improove my code?

Btw. my project is a Tool, which transmits server infos from our customers (like HD capacity and backup logs) to our server, so we evaluate all server statistically.

Thanks for you advice
KR

1 answers

solution1
 -1 ACCPTED  2017-03-23 10:08:28

As you say that the PreparePOST object does validation and security it would be ideal to share that code too to identify security issues.

One thing which springs to mind right away although not a security issue is that you should throw an Exception rather than return one. Also when you are initializing your API object you don't have any way to catch the exceptions which it may throw. See the try catch block which I've put below.

Also the code isn't super readable, perhaps this would be better: 

<?php
class API
{
    public function __construct()
    {
        if($_SERVER['REQUEST_METHOD'] === 'POST')
        {
            if(!empty($_POST))
            {
                $data = array();

                require_once('PreparePOST.php');

                foreach($_POST as $key => $value)
                {
                    array_push($data, array($value => $key));
                }

                echo new PreparePOST($data);
            }
            else
            {
                throw new Exception('No Data Requested');
            }
        }
        else
        {
            throw new Exception('Request not allowed');
        }
    }
}

try 
{
    $init = new API();

}
catch(Exception $e)
{
    //handle the exception here
    echo $e->getMessage();
}

?>

Specific coding style is down to preference however to keep it readable and maintainable you should definitely make good use of whitespace. There's absolutely nothing gained by keeping code bunched together. In fact quite the opposite.

I wouldn't say there's a need to call your $data variable $data_array . You can see from the code that it's an array, also separate arguments to functions with a comma and a space for readability , . (When calling array_push).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Merge Instagram API json file with my own, in PHP 'nobody' own the file created through php FACEBOOK GRAPH/rest api: how to LOGIN my OWN USER to update my STATUS with PHP Make my own api with oauth Creating my own PHP Framework PHP - My own counter - Trouble PDO in my own PHP Class PHP Calling my own JSON Create my own shortcode with php Making my own argument resolver for my my own PHP framework
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM