1

I have designed php and html code around an API.

The html code allows users to type in a specific item for evaluation. The item is then posted to the php and run through the API. It gets the response and spits out a php page.

The API is well protected, but I"m wondering if there's anything that could go wrong within my pages, both PHP and html.

Let me know if you can come up with anything that might be detrimental.

GK1667
  • 1,362
  • 3
  • 14
  • 22

3 Answers3

1

You need to protect against API-abuse, via your html page using Captcha validation on it, if you don't do so already.

Anirudh Ramanathan
  • 46,179
  • 22
  • 132
  • 191
  • Currently the site uses an API key which limits access to the API evaluation to 50 times a day. Is this appropriate as well? – GK1667 Jul 18 '12 at 18:25
  • Yes. Do check the way you have implemeted the API key system. See my answer here -> http://stackoverflow.com/a/11531799/759019 – Anirudh Ramanathan Jul 18 '12 at 18:27
1

If your php is using a database to store the information the users are posting then you will need to have some security to prevent injection attacks, recommend prepared statements and salted hashing.

ewein
  • 2,695
  • 6
  • 36
  • 54
  • The API I'm contacting has a database, but it is secured on that end. So it shouldn't affect anything on ours should it? We use Curl on the php to connect to the API – GK1667 Jul 18 '12 at 18:25
  • If the API is any good then yes it should be protected against injection attacks. However if you at any time access your database (if you have one) not through the API then you will have to take injection attacks into consideration when you access your database. – ewein Jul 18 '12 at 18:34
  • I do not have a database. The php only contacts the API which then looks up in its database and formats/displays the response – GK1667 Jul 18 '12 at 18:36
1

We have a very similar problem and concern. On our website, we have dozen's of PHP 'API' files. When a user logs into our site, a specific _SESSION variable is set with unique information. In the API files, we check for that session variable, and if not set, there's a redirect to the login page. This should prevent getting too far by calling the API files directly.

Also, there's an index.php in the PHP scripts directory which also does a redirect just in case the directory is somehow viewable with out it.

In addition, we make sure we sanitize every _POST and _GET variable to prevent SQL injection attacks. The mysql client for PHP has a function (the name escapes me) that will help sanitize arguments in this regard.

This is a couple of suggestions. Hope this helps.

pathrider
  • 844
  • 2
  • 12
  • 27
  • SQL injection is not a thing with PHP is it? Only if it is being injected into the database? But like I said, the API protects itself from SQL injection – GK1667 Jul 18 '12 at 18:28
  • SQL injection applies to any language where params from 'outside' are built into a SQL statement. Say you pass an Id to an API file and it's put into a SQL statement: "DELETE FROM Customer WHERE ID = " . $_POST['id']". Well what if $_POST['id'] = "43 OR ID IS NOT NULL"? Bye-bye table. – pathrider Jul 18 '12 at 21:58