0

I have made a API script for my website, so people can login from another website. It's using PHP cuRL to POST data to my website.

I'm using a api key (md5 hash of the website) to verify the website with my MySQL database. But when someone is using my API Client (PHP cURL), they also can save the username's and passwords of my user's.

How can i prevent this?

Raj
  • 22,346
  • 14
  • 99
  • 142
Sander
  • 1
  • 1
    Don't allow users of your api to access any table they want? The API methods should be configured to do a specific task. – Kevin Peno Mar 04 '11 at 00:05

3 Answers3

2

You might want to consider using OAuth. It's designed for exactly what you want to do.

jterrace
  • 64,866
  • 22
  • 157
  • 202
0

I someone is typing their username and password onto a website other than your own, there is no way for you to prevent the owner of the website from capturing it...

Shad
  • 15,134
  • 2
  • 22
  • 34
0

What you'll want to do is have your site generate a secure set of credentials for the users account, similar to a username/password, but only to be used by the API. Also, prevent this new set of credentials from having the ability to do things like delete the user's account or change email address.

Also, give the users the ability to have their API credentials changed if they want (in case a third party gets it and the user no longer wants them to have access).

Thomas Hunter II
  • 5,081
  • 7
  • 35
  • 54
  • So if i'll just create a second username and password that are different from the website login, it will be save? – Sander Mar 04 '11 at 08:52