Monday, 15 March 2010

php - secure a API request form? -



php - secure a API request form? -

ok have next php:

<?php //function homecoming nice url's our pdf's function seourl($string) { //lower case $string = strtolower($string); //make alphanumeric (removes other characters) $string = preg_replace("/[^a-z0-9_\s-]/", "", $string); //clean multiple dashes or whitespaces $string = preg_replace("/[\s-]+/", " ", $string); //convert whitespaces , underscore dash $string = preg_replace("/[\s_]/", "-", $string); homecoming $string; } //set our post variables $name = $_post['name']; $address1 = $_post['address1']; $address2 = $_post['address2']; $zipcode = str_replace(' ', '',$_post['zipcode']); //store xml request in variable $input_xml = urlencode('<externalreturnlabelrequest> <customername>'.$name .'</customername> <customeraddress1>'.$address1.'</customeraddress1> <customeraddress2>'.$address2.'</customeraddress2> <customercity>washington</customercity> <customerstate>dc</customerstate> <customerzipcode>'.$zipcode.'</customerzipcode> <labelformat>noi</labelformat> <labeldefinition>zebra-4x6</labeldefinition> <servicetypecode>020</servicetypecode> <addressoverridenotification>false</addressoverridenotification> <callcenterorselfservice>customer</callcenterorselfservice> <addressvalidation>false</addressvalidation> </externalreturnlabelrequest>'); //start curl tried file_get_contents no avail.. $curl_handle=curl_init(); curl_setopt($curl_handle, curlopt_url,"https://returns.usps.com/services/externalcreatereturnlabel.svc/externalcreatereturnlabel?externalreturnlabelrequest=".$input_xml); curl_setopt($curl_handle, curlopt_connecttimeout, 2); curl_setopt($curl_handle, curlopt_returntransfer, 1); $query = curl_exec($curl_handle); curl_close($curl_handle); //decode response fail if nil returned $pdfdecode = base64_decode($query); if($pdfdecode != false){ $urlfriendlyname = seourl($name); $myfile = "labels/labelfor".$urlfriendlyname.$zipcode.".pdf"; $fh = fopen($myfile, 'w') or die("can't open file"); fwrite($fh, $pdfdecode); fclose($fh); header("location: http://thedarkroom.com/wp-content/themes/thedarkroom2012/".$myfile); exit(); /* mid 201198 */ }else{ header("location: http://thedarkroom.com/label/?labelerror=".$query); exit(); } echo "<pre>"; var_dump($pdfdecode); var_dump($query); echo "</pre>";

and html:

<form method="post" action="<?php echo get_template_directory_uri(); ?>/get_labels.php" > <fieldset id="labelfields"> <label for="name">name</label><br> <input name="name" type="text" placeholder="name"/> <br> <label for="address1">address line one</label> <input name="address1" type="text" placeholder="address line one"/><br> <label for="address2">address line two</label> <input name="address2" type="text" placeholder="address line two"/><br> <label for="zipcode">zip code</label> <input name="zipcode" type="text" placeholder="zip code"/><br> <label for="customerstate">state</label> <input name="customerstate" type="text" placeholder="state"/><br> <label for="customercity">city</label> <input name="customercity" type="text" placeholder="city"/><br> <input type="submit" value="create label" /> </fieldset> </form>

what best practises securing this? i've gone strip tags...

all info comes server must checked , sanitized. always. no exception.

escape potentially unsafe characters. specific characters should cautious vary depending on context in info used , server platform employ, server-side languages have functions this.

limit incoming amount of info allow what's necessary.

sandbox uploaded files (store them on different server , allow access file through different subdomain or improve through different domain name).

for preventing cross-site forgeries please refer article http://shiflett.org/articles/cross-site-request-forgeries

php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)