0

I'm using this crappy API, and it gives you an apptoken as part of the URL to use in the action bit of a form. The method is post. What I want to do is try and hide the apptoken from being in the source code (it's not really necessary but now I want to know if what I'm trying to do is even possible.) So my idea was to set the form action to an HTML form to be a function.php and have function.php be the one doing the posting of the form's action to the http://domain.com/apptokenxxxxxxxxx

function.php would not be publicly readable therefore hiding the apptoken sort of like a content management systems config file.

Is this even possible? Or am I chasing a rabbit down the wrong hole... I just need to be pointed in the right direction.

EDIT: HTML Form:

<h2>Client Tracker: Sample Clients</h2><form name=qdbform method=POST onsubmit='return validateForm(this)' encType='multipart/form-data' action=https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr>
<input type=hidden name=fform value=1>
<table>
<tr><td class=m>Company</td>
<td class=m><input type=text size=40 name=_fid_5 ></td></tr>
<tr><td class=m>Contact</td>
<td class=m><input type=text size=40 name=_fid_10 ></td></tr>
<tr><td class=m>Comments</td>
<td class=m><textarea  name=_fid_12 rows=6 cols=40></textarea></td></tr>
</table><input type=hidden name=rdr value='http://bbc.co.uk'>
<input type=submit value=Save>
</form>
<script lang=javascript>
function validateForm(theForm)
{
}
</script>

So - the bit here: action=https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr> I want to be hidden from someone just seeing by doing a view source. The way that I thought of doing it is having the webserver handle it server side so that the web user never gets to see where the data is actually being sent to, other than the function.php or whatever I call it.

meowsoftly
  • 61
  • 5
  • 3
    Yes, it's possible using [cURL](http://php.net/manual/en/book.curl.php) library. However, no one can say or answer your question unless you post the associated code with it. – Rajdeep Paul Dec 29 '16 at 14:59
  • Thank you - this looks interesting. I've added the html code for a bit of context. Unfortunately since I do not yet know what the php side will be this is all I have to show as an example. – meowsoftly Dec 29 '16 at 15:14
  • I've given an answer below. Hopefully this will resolve your issue. – Rajdeep Paul Dec 29 '16 at 16:04

4 Answers4

2

Okay, since you don't have enough real code, let me give you a simple example to walk through the problem and the solution.

  • First of all, create a new page, like secondpage.php to process your form. Also, you don't have to add any hidden input fields in your form, the server side PHP page and cURL library will take care of those, which are explained in later point(s). So let's say your form is like this:

    <h2>Client Tracker: Sample Clients</h2>
<form action="secondpage.php" method="POST" name="qdbform" onsubmit="return validateForm(this)" enctype="multipart/form-data">
    <table>
        <tr><td class="m">Company</td>
        <td class="m"><input type="text" size="40" name="_fid_5" /></td></tr>
        <tr><td class="m">Contact</td>
        <td class="m"><input type="text" size="40" name="_fid_10" /></td></tr>
        <tr><td class="m">Comments</td>
        <td class="m"><textarea name="_fid_12" rows="6" cols="40"></textarea></td></tr>
    </table>
    <input type="submit" name="submit" value="Save">
</form>

    Look at the action attribute, instead of sending the form directly to the API server, send the form data to secondpage.php page which will process your form and send the appropriate data(including the token) to the API server.

  • Now on secondpage.php page, process your form and send data(including the API token) to the API server using cURL library. Using this library you can send the data to the API server via HTTP POST, that too without using any <form>. So assuming the fact that you also want to send _fid_5, _fid_10 and _fid_12 field values to the API server, the code on the secondpage.php page would be like this:

    if(isset($_POST['submit'])){
    $url = "https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr";
    $data = array('_fid_5' => $_POST['_fid_5'], '_fid_10' => $_POST['_fid_10'], '_fid_12' => $_POST['_fid_12']);

    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
    $response = curl_exec($ch);
    curl_close($ch);
}

There are few points to note here,

  • Set CURLOPT_RETURNTRANSFER to true to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.
  • CURLOPT_SSL_VERIFYPEER can be used to verify peer's certificate. If we specify it as false, it will accept any server(peer) certificate.
  • CURLOPT_POST is used to do regular HTTP POST. This POST is the normal application/x-www-form-urlencoded kind, most commonly used by HTML forms.
  • CURLOPT_POSTFIELDS is used to specify full data we want to submit with this POST request. The $data array should be converted to URL-encoded query string using http_build_query() function, so that it could be sent as application/x-www-form-urlencoded.
Rajdeep Paul
  • 16,887
  • 3
  • 18
  • 37
  • Rockstar. I got it to work, and built in the logic for error handling. – meowsoftly Dec 29 '16 at 18:25
  • @meowsoftly Glad I could help. Please *accept* the answer if it resolved your issue. [How to accept answer on Stack Overflow?](http://meta.stackexchange.com/a/5235) – Rajdeep Paul Dec 30 '16 at 08:43
0

You could do this without curl using the following snippet. Just populate the data array with your information.Then you'll be able to post without revealing your api or action urls.

$url = 'ENTER_ACTION_HERE';
$data = array('key1' => 'value1', 'key2' => 'value2');

// use key 'http' even if you send the request to https://...
$options = array(
    'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
        'method'  => 'POST',
        'content' => http_build_query($data)
    )
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) { /* Handle error */ }

var_dump($result);
Bryant Makes Programs
  • 1,493
  • 2
  • 17
  • 39
0

In broad terms here's what you do. You have your form submit to send.php:

<form name="qdbform" method="post" onsubmit="return validateForm(this)" action="send.php">

In send.php you use curl or another library to post data to the url:

$token = "cwfcy7gdzsjeo6556ebi2bn4u4kr";
$api_url = "https://sample.quickbase.com/db/";
// whatever library you use will allow you to set parameters
// and perform a post action to the endpoint
Serg Chernata
  • 12,280
  • 6
  • 32
  • 50
0

Here's how to send your request and receive the response:

$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => $url,
    CURLOPT_POST => true,
    // or this for a custom HTTP method
//  CURLOPT_CUSTOMREQUEST => $method,
    // i.e. ['Content-Type: application/json']
    CURLOPT_HTTPHEADER => $headers,
    // send your POST data here; if it's an array use urlencode around it
    CURLOPT_POSTFIELDS => $body,
    // executing the cURL operation returns a string containing the full response
    CURLOPT_RETURNTRANSFER => true,
    // retrieve the headers too
    CURLOPT_HEADER => true,
    // you may or may not want this; some servers have problems
    CURLOPT_SSL_VERIFYPEER => true,
    CURLOPT_CONNECTTIMEOUT => 5,
]);

$response = curl_exec($curl);

if(empty($response)) {
    throw new Exception(curl_error($curl), curl_errno($curl));
}

Information on how to parse the response can be found here:

Can PHP cURL retrieve response headers AND body in a single request?

Community
  • 1
  • 1
Dissident Rage
  • 2,610
  • 1
  • 27
  • 33