www.webdeveloper.com
Results 1 to 9 of 9

Thread: Help w/ Simple Curl API

  1. #1
    Join Date
    Jan 2003
    Posts
    218

    Question Help w/ Simple Curl API

    I'm trying to adapt an existing cURL API script to my site and am having some trouble generating the results that I need. And help would be greatly appreciated. Thank you.

    Here's the API script on the user site that checks the other site for database matches:
    Code:
    // Open curl connection and set up your request
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, count($values));
    curl_setopt($ch, CURLOPT_POSTFIELDS, $values_string);
    
    // Execute the request
    $result = curl_exec($ch);
    
    if ($result === false)  {
    // There was an error -- probably a typo
    } elseif ($result == 1) {
    // There was no match
    } elseif ($result == 0) {
    // There was a match
    } else {
    // Nothing happened
    }
    I'm passing some data in the $values_string array (apikey, id1, id2) for the query to run on the other site.

    And here is the mysql query on the other site:
    Code:
    if ($apikey == "123456789") {
    	
    	$query = "SELECT * FROM table WHERE field1=$id1 AND field2=$id2";
    	$result = @mysql_query($query);
    	
    	if ($result && @mysql_num_rows($result) > 0) {
    		// There is a match - what do I do here?
    	} else {
    		// There is no match - what do I do here?
    	}
    }
    I'd really like to be able to generate the four different results from the second page. Obviously, I'm missing some basic understandings of how the cURL script works. (For instance, when I test with the wrong apikey, the API returns a 1 -- which should only be returned when the apikey is correct and there is no match from the query.

    Thank you for your help!

  2. #2
    Join Date
    Jan 2003
    Posts
    218
    So I've made some tweaks. The issue I'm still having is with the apikey. If I send the wrong apikey -- it still returns "available". I'm apparently missing something here.
    Code:
    // Open curl connection and set up your request
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, count($values));
    curl_setopt($ch, CURLOPT_POSTFIELDS, $values_string);
    
    // Execute the request
    $result = curl_exec($ch);
    
    if ($result == "available") {
    print "there was no match. it's available";
    } else if ($result == "taken") {
    print "there was a match. it's not available";
    }
    Code:
    if ($apikey == "[NUMBER HERE]") {
    	
    	$query = "SELECT * FROM table WHERE field1=$id1 AND field2=$id2";
    	$result = @mysql_query($query);
    	
    	if ($result && @mysql_num_rows($result) > 0) {
    		print "taken";
    	} else {
    		print "available";
    	}
    }
    If I just pass the variables in the URL to the query page and use the wrong apikey, nothing happens. It's when I try to use the cURL script that I return "available" when using the wrong apikey. I'm sure it's something simple I'm missing here.

    Thank you for your help!

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,330
    PHP Code:
    if ($result 
    ...is testing whether or not the query was successfully executed, not whether or not it returned anything; so if it is failing (e.g. due to a syntax error -- perhaps due to no value for $id1 or $id2), then you'll fall through to the else block.

    So as always, check your query return value for false first and handle any failures accordingly (debug output to log file, failure message to user, etc.).
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Jan 2003
    Posts
    218
    My issue is not really with the query page. It works fine. I was just hoping that the if I pass the wrong apikey to the page -- that nothing would be returned. Instead, it returns a 1. I don't know enough about cURL to know why this is. Or if there is a way around it. The whole apikey is just to prevent someone from tapping into this little API directly.

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,330
    If the api key is incorrect, then nothing gets output. Maybe you need an else that returns "invalid api key" or some other indicator to check for in your cURL response?

    PS: And I hope you are sanitizing the inputs before you use them in your query?
    Last edited by NogDog; 04-22-2012 at 03:46 PM.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  6. #6
    Join Date
    Jan 2003
    Posts
    218
    That's true.

    And yes -- I'm going to sanitize the inputs.

    Thanks.

  7. #7
    Join Date
    Jan 2003
    Posts
    218

    Question

    Dumb question. Should I sanitize EVERY input that is passed in a URL to a page to be used in a query?

  8. #8
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,330
    Any value that comes from an external source you do not have 100% control over must be sanitized. (And what the heck, why not sanitize those you think you have 100% control over, just in case?)

    One of the easiest ways is to make use of prepared statements with bound parameters (available via the MySQLi extension or the PDO extension). If that is not practical, you can make use of mysql_real_escape_string() for the "regular" MySQL extension, and in cases of values that should be integers or floats, simply cast them as such before using them:
    PHP Code:
    $sql sprintf(
      
    "SELECT * FROM some_table WHERE id=%d and type='%s'",
      (int) 
    $_GET['id'], // cast to integer
      
    mysql_real_escape_string($_GET['type']) // escape a string
    );
    $result mysql_query($sql); 
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  9. #9
    Join Date
    Jan 2003
    Posts
    218
    That's what I thought. I've been using mysql_real_escape_string(). Thanks for your advice.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles