0

I want to use a simple API and i want to do it in the secure way. It is currently using sockets and port 80. As far as I know port 80 is open and it doesn't seem such a secure connection.

As the data to send contains user and password i want to use HTTPS instead of HTTP to make it secure.

I was wondering if it is so simple as just changing this line;

$headers = "POST /api/api.php HTTP/1.0\r\n";

For this other line

$headers = "POST /api/api.php HTTPS/1.0\r\n";

And changing the port to 443

Here is the connect function:

// api connect function
function api_connect($Username, $Password, $ParameterArray)
{
   // Create the URL to send the message.
   // The variables are set using the input from an HTML form

   $err = array();
   $url = "api.text-connect.co.uk";
   $headers = "POST /api/api.php HTTP/1.0\r\n";
   $headers .= "Host: ".$url."\r\n";

   // Create post string
   // Username and Password
   $poststring = "Username=".$Username."&";
   $poststring .= "Password=".$Password;

   // Turn the parameter array into the variables

   while (list($Key, $Value)=@each($ParameterArray))
   {
      $poststring .= "&".$Key."=".urlencode($Value);
   }

   // Finish off the headers
   $headers .= "Content-Length: ".strlen($poststring)."\r\n";
   $headers .= "Content-Type: application/x-www-form-urlencoded\r\n";


   // Open a socket
   $http = fsockopen ($url, 80, $err[0], $err[1]);
   if (!$http)
   {
      echo "Connection to ".$url.":80 failed: ".$err[0]." (".$err[1].")";
      exit();
   }

   // Socket was open successfully, post the data.
   fwrite ($http, $headers."\r\n".$poststring."\r\n");

   // Read the results from the post
   $result = "";
   while (!feof($http))
   {
      $result .= fread($http, 8192);
   }

   // Close the connection
   fclose ($http);

   // Strip the headers from the result
   list($resultheaders, $resultcode)=split("\r\n\r\n", $result, 2);

   return $resultcode;
}
?>
Alvaro
  • 40,778
  • 30
  • 164
  • 336

3 Answers3

2

Your code has a huge number of issues regardless if it's using HTTP or HTTPS - implementing an HTTP client (or server) is MUCH more complicated than simply throwing some headers across a socket then sinking the response.

What's particularly bad about this approach is that it will work some of the time - then it will fail and you won't understand why.

Start again using curl.

Doing it this way you only need to change the URL (it also implements a cookie jar, support for header injection, automatic following of redirects, routing via proxies, verification or non-verification of SSL certificates amongst other things).

symcbean
  • 47,736
  • 6
  • 59
  • 94
1

I was wondering if it is so simple as

No, it isn't. It really, really isn't.

HTTPS is HTTP tunnelled over SSL. So you don't change the content of the HTTP request at all.

You do need to perform all the SSL handshaking before you do the HTTP stuff though.

SSL is crypto, it is therefore hard. Don't try reinventing this wheel. Use a library such as cURL.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • How could I use cURL library for this purpose? – Alvaro Nov 28 '12 at 14:06
  • A tutorial in using cURL is out of scope for a stackoverflow answer. The documentation for it is decent. – Quentin Nov 28 '12 at 14:07
  • So, can not I use this function at all? Should I create another different? This is the one offered on the official website of the system I'm trying to use: http://www.text-connect.co.uk/dev/php/send_message.txt – Alvaro Nov 28 '12 at 14:08
  • Correct (well, mostly, bits of it are reusable). Yes. Doing HTTP with sockets in application level code is nuts: HTTP libraries exist. – Quentin Nov 28 '12 at 14:11
1

curl and set CURLOPT_SSL_VERIFYPEER = false

Angelin Nadar
  • 8,944
  • 10
  • 43
  • 53