I'm trying to adapt an existing cURL API script to my site and am having some trouble generating the results that I need. And help would be greatly appreciated. Thank you.
Here's the API script on the user site that checks the other site for database matches:
Code:
// Open curl connection and set up your request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, count($values));
curl_setopt($ch, CURLOPT_POSTFIELDS, $values_string);
// Execute the request
$result = curl_exec($ch);
if ($result === false) {
// There was an error -- probably a typo
} elseif ($result == 1) {
// There was no match
} elseif ($result == 0) {
// There was a match
} else {
// Nothing happened
}
I'm passing some data in the $values_string array (apikey, id1, id2) for the query to run on the other site.
And here is the mysql query on the other site:
Code:
if ($apikey == "123456789") {
$query = "SELECT * FROM table WHERE field1=$id1 AND field2=$id2";
$result = @mysql_query($query);
if ($result && @mysql_num_rows($result) > 0) {
// There is a match - what do I do here?
} else {
// There is no match - what do I do here?
}
}
I'd really like to be able to generate the four different results from the second page. Obviously, I'm missing some basic understandings of how the cURL script works. (For instance, when I test with the wrong apikey, the API returns a 1 -- which should only be returned when the apikey is correct and there is no match from the query.
So I've made some tweaks. The issue I'm still having is with the apikey. If I send the wrong apikey -- it still returns "available". I'm apparently missing something here.
Code:
// Open curl connection and set up your request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, count($values));
curl_setopt($ch, CURLOPT_POSTFIELDS, $values_string);
// Execute the request
$result = curl_exec($ch);
if ($result == "available") {
print "there was no match. it's available";
} else if ($result == "taken") {
print "there was a match. it's not available";
}
Code:
if ($apikey == "[NUMBER HERE]") {
$query = "SELECT * FROM table WHERE field1=$id1 AND field2=$id2";
$result = @mysql_query($query);
if ($result && @mysql_num_rows($result) > 0) {
print "taken";
} else {
print "available";
}
}
If I just pass the variables in the URL to the query page and use the wrong apikey, nothing happens. It's when I try to use the cURL script that I return "available" when using the wrong apikey. I'm sure it's something simple I'm missing here.
...is testing whether or not the query was successfully executed, not whether or not it returned anything; so if it is failing (e.g. due to a syntax error -- perhaps due to no value for $id1 or $id2), then you'll fall through to the else block.
So as always, check your query return value for false first and handle any failures accordingly (debug output to log file, failure message to user, etc.).
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
My issue is not really with the query page. It works fine. I was just hoping that the if I pass the wrong apikey to the page -- that nothing would be returned. Instead, it returns a 1. I don't know enough about cURL to know why this is. Or if there is a way around it. The whole apikey is just to prevent someone from tapping into this little API directly.
If the api key is incorrect, then nothing gets output. Maybe you need an else that returns "invalid api key" or some other indicator to check for in your cURL response?
PS: And I hope you are sanitizing the inputs before you use them in your query?
Last edited by NogDog; 04-22-2012 at 03:46 PM.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Any value that comes from an external source you do not have 100% control over must be sanitized. (And what the heck, why not sanitize those you think you have 100% control over, just in case?)
One of the easiest ways is to make use of prepared statements with bound parameters (available via the MySQLi extension or the PDO extension). If that is not practical, you can make use of mysql_real_escape_string() for the "regular" MySQL extension, and in cases of values that should be integers or floats, simply cast them as such before using them:
PHP Code:
$sql = sprintf(
"SELECT * FROM some_table WHERE id=%d and type='%s'",
(int) $_GET['id'], // cast to integer
mysql_real_escape_string($_GET['type']) // escape a string
);
$result = mysql_query($sql);
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Help w/ Simple Curl API
Reply With Quote
Bookmarks