1

I am trying to make an API for my website and so far for the GET and POST method it worked, but the DELETE method, I just can't get it to work. I know a lot of people have this issue but I could nowhere find the solution. If anyone can help me, thanks!

PS: Just to be clear, I do not have the WebDav module installed on the Windows Server.

This is my index.php:

<?php
require_once("DB.php");

$db = new DB("127.0.0.1", "SocialNetwork", "username", "pass");

if ($_SERVER['REQUEST_METHOD'] == "GET") {

    if ($_GET['url'] == "auth") {

    } else if ($_GET['url'] == "users") {

    }

} else if ($_SERVER['REQUEST_METHOD'] == "POST") {

    if ($_GET['url'] == "auth") {
            $postBody = file_get_contents("php://input");
            $postBody = json_decode($postBody);

            $username = $postBody->username;
            $password = $postBody->password;

            if ($db->query('SELECT username FROM users WHERE username=:username', array(':username'=>$username))) {
                    if (password_verify($password, $db->query('SELECT password FROM users WHERE username=:username', array(':username'=>$username))[0]['password'])) {
                            $cstrong = True;
                            $token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));
                            $user_id = $db->query('SELECT id FROM users WHERE username=:username', array(':username'=>$username))[0]['id'];
                            $db->query('INSERT INTO login_tokens VALUES (0, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));
                            echo '{ "Token": "'.$token.'" }';
                    } else {
                            http_response_code(401);
                    }
            } else {
                    http_response_code(401);
            }

    }

} else if ($_SERVER['REQUEST_METHOD'] == "DELETE") {
if ($_GET['url'] == "auth") {
  if (isset($_GET['token'])) {
    $db->query('DELETE FROM login_tokens WHERE token=:token', array(':token'=>$_GET['token']));
    echo '{ "Status": "Success" }';
    http_response_code(200);
  } else {
    http_response_code(400);
    echo '{ "Error": "Mal-formed request" }';
  }
  }

} else {
    http_response_code(405);
}
?>

And this is my web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="API">
                <match url=".*" />
                <action type="Rewrite" url="index.php?url={R:0}" appendQueryString="false" />
            </rule>
        </rules>
    </rewrite>
    <modules>
        <remove name="WebDAVModule" />
    </modules>
    <handlers>
        <remove name="WebDAV" />
    </handlers>
    <security>
    <requestFiltering>
        <verbs allowUnlisted="false">
            <add verb="GET" allowed="true" />
            <add verb="POST" allowed="true" />
            <add verb="DELETE" allowed="true" />
            <add verb="PUT" allowed="true" />
        </verbs>
    </requestFiltering>
</security>
</system.webServer>

Daan Hermans
  • 31
  • 10
  • Your code is vulnerable to [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [mysqli](https://secure.php.net/manual/en/mysqli.prepare.php) or [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). –  Apr 22 '18 at 17:03
  • Yes sorry, I am aware of that, this also is not the script I am using in my real website, I have pulled this piece out and checked if it worked, and so far everything works except for the DELETE method – Daan Hermans Apr 22 '18 at 17:29
  • Cannot produce the issue you mentioned. Please run failed request tracing to see what exactly gives you 405, https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis – Lex Li Apr 22 '18 at 17:33
  • Thanks, I will check for this later this week – Daan Hermans Apr 24 '18 at 18:39

0 Answers0