0

Please bear with me if this sounds a bit ridiculous, but I've only just learned the basics of PHP and jQuery over the last week or two. This might be plainly obvious to anyone with a modicum of experience, so I appreciate any information you can share.

I'm updating my website to include a custom search function that queries a SQL database through a cURL call. In short:

  1. I take user input from an HTML form (including a text box), then POST the values to a php file (searchfunction.php) on my server under my domain.

  2. searchfunction.php then processes the form data, adds it to a URL query string that includes a private API key (in the format of http://apidomain/[api key]/request.php?querystring), and sends that off to a 3rd-party server via a curl_init.

  3. The 3rd-party server then returns a serialized php array based on the URL's query string. The php file then processes the array and echoes some HTML that appears on the same page as the original user form (via some jQuery magic that I only barely understand).

Here are my questions:

Q1) Because I'm sending a cURL string to an API which then handles all the SQL stuff, am I at any risk of a SQL injection? If so, what is the theory behind eliminating that risk?

Q2) How can I keep the private API key hidden? The browser URL bar will never contain it, but is there a simple way - maybe through the .htaccess file - to keep prying eyes away from the content of the php file that processes the form data and returns the HTML?

Q3) Are there any other obvious security loopholes that I should be aware of? There are ways to write to the database through the API (though not without the API key and the appropriate query string syntax), so how can I prevent a malicious user from manipulating the cURL call?

Thanks for your help in advance. Now that I've stepped into the bewildering world of making my website talk to other servers, I've found myself completely in over my head, especially when it comes to security.

Chris
  • 19
  • 8
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Mar 03 '13 at 21:32
  • I read "How to prevent SQL injection in PHP," but since I'm only interacting with the SQL database through an API call via cURL, I didn't think it applied to my questions. Do you think it does? Great article, by the way. – Chris Mar 03 '13 at 21:53
  • It always applies. It's not just about SQL injection, it's simply about **avoiding syntax errors**. Avoid syntax errors and you're automatically avoiding SQL injection. – deceze Mar 03 '13 at 22:05

1 Answers1

0

PHP is server side, so unless you're echo'ing out the key or causing warnings/errors (which might complain about your url which contains the api key) there is no problem. And you can't know about the api's handling of SQL data either (unless it's open source), so it doesn't really matter. If they are secure, they are secure. If you are unsure you should ask them about their security (never hurts to let them know it's a big deal).

ejjz
  • 16