B4J Question Questions in REST API Server

alfaiz678

Active Member
Licensed User

aeric

Expert
Licensed User
Longtime User
in terms of security
It is a never ending story and no one bulletproof solution on security. You judge yourself whether it is sufficient for your use case.

requirements
For the former, it can be hosted on shared hosting. For the latter, it needs to be hosted on VPS as you need to run java app on the server.

For small or medium project, I don't think you need to worry at this stage.
 
Last edited:
Upvote 0

alfaiz678

Active Member
Licensed User
It is a never ending story and no one bulletproof solution on security. You judge yourself whether it is sufficient for your use case.


For the former, it can be hosted on shared hosting. For the latter, it needs to be hosted on VPS as you need to java app on the server.

For small or medium project, I don't think you need to worry at this stage.
Well on this I will continue with the previous solution php*mysqli_query but are there any commandments in this solution to get some security
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
The php project above is very minimum. You can use my other project for better practices.
If you are comfortable with PHP, you can use other frameworks such as Laravel to handle security for you.

I recommend to use PDO compare to using mysqli.
 
Upvote 0

alfaiz678

Active Member
Licensed User
The php project above is very minimum. You can use my other project for better practices.
If you are comfortable with PHP, you can use other frameworks such as Laravel to handle security for you.

I recommend to use PDO compare to using mysqli.​
Thank you
 
Upvote 0

alfaiz678

Active Member
Licensed User
I tried pdo
I found this simple code
It works fine
What do you think of it?
Can you add some simple security touches to it?
Sorry for the inconvenience

PHP:
<?php
header("Content-Type: application/json");
include 'db.php';

$method = $_SERVER['REQUEST_METHOD'];
$input = json_decode(file_get_contents('php://input'), true);

switch ($method) {
    case 'GET':
        handleGet($pdo);
        break;
    case 'POST':
        handlePost($pdo, $input);
        break;
    case 'PUT':
        handlePut($pdo, $input);
        break;
    case 'DELETE':
        handleDelete($pdo, $input);
        break;
    default:
        echo json_encode(['message' => 'Invalid request method']);
        break;
}

function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

function handlePost($pdo, $input) {
    $sql = "INSERT INTO users (name, email) VALUES (:name, :email)";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['name' => $input['name'], 'email' => $input['email']]);
    echo json_encode(['message' => 'User created successfully']);
}

function handlePut($pdo, $input) {
    $sql = "UPDATE users SET name = :name, email = :email WHERE id = :id";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['name' => $input['name'], 'email' => $input['email'], 'id' => $input['id']]);
    echo json_encode(['message' => 'User updated successfully']);
}

function handleDelete($pdo, $input) {
    $sql = "DELETE FROM users WHERE id = :id";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['id' => $input['id']]);
    echo json_encode(['message' => 'User deleted successfully']);
}
?>
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
I tried pdo
I found this simple code
Your code is fine but it seems you are limited one query per http method.
You can rename it to more meaningful name such as ListAllUsers() instead of handleGet().

The time I created the example (PHP/MySQL/API) User Login App, I am not sure PHP supported PUT and DELETE methods. I just use POST to execute the Update and Delete queries.

If you have checked my example, I use API Key. This is one way to make it more secure, without requiring the user to login every time to communicate with the server. Of course the better way is to use Access Token because API Key is designed for long time login while Access Token is for short time session. If the admin found there is a security breach, it is easier to revoke the access of a short term access token than a long term access token.

If you understand how API Key works, creating access token is something similar. You just need to generate some random string using MD5 or SHA1 hashing algorithms.
 
Upvote 0

alfaiz678

Active Member
Licensed User
Your code is fine but it seems you are limited one query per http method.
You can rename it to more meaningful name such as ListAllUsers() instead of handleGet().

The time I created the example (PHP/MySQL/API) User Login App, I am not sure PHP supported PUT and DELETE methods. I just use POST to execute the Update and Delete queries.

If you have checked my example, I use API Key. This is one way to make it more secure, without requiring the user to login every time to communicate with the server. Of course the better way is to use Access Token because API Key is designed for long time login while Access Token is for short time session. If the admin found there is a security breach, it is easier to revoke the access of a short term access token than a long term access token.

If you understand how API Key works, creating access token is something similar. You just need to generate some random string using MD5 or SHA1 hashing algorithms.
Unfortunately, I do not understand how to create an access token or an API key. If I find an easier example, I will start with it. I saw your project and downloaded it, but I did not understand it well. Because it is extended
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
Unfortunately, I do not understand how to create an access token or an API key. If I find an easier example, I will start with it. I saw your project and downloaded it, but I did not understand it well. Because it is extended
Start with my project with API key above.

When a user register his email, the user table is inserted a new row with his profile and activation code.
He need to click on the activation link inside his email to activate his account. This is to ensure the email is authentic.
Once his account is activated, he can login using the app.
If he login successfully, the server will generate an API key automatically to return to the app and store in local db.
Further access is using the API key.
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
switch ($method) {
case 'GET':
handleGet($pdo);
break;
PHP:
function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

You already have one function to return all users.
If you want to add another GET endpoint to query a single user, how would you add it?
 
Upvote 0

alfaiz678

Active Member
Licensed User
PHP:
function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

You already have one function to return all users.
If you want to add another GET endpoint to query a single user, how would you add it?
I will make many modifications to this code Change the labels And other functions when browsing with the where clause But this is just a general form for the intermediate php page Only Thank you

PHP:
$stmt = $pdo->prepare("SELECT * FROM users WHERE id=:id");
$stmt->execute(['id' => $id]);
$user = $stmt->fetch();

Something like this
 
Upvote 0

alfaiz678

Active Member
Licensed User
I hope to reach this stage that you indicated to me previously But I have not succeeded so far
PHP:
$stmt = $pdo->prepare("SELECT * FROM users WHERE id=:id
AND id IN (SELECT id FROM user WHERE user_token = :user_token)");
$stmt->execute(['id' => $id],['user_token' => $user_token]);


sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? AND user_id = ? AND user_id IN (SELECT user_id FROM user WHERE user_token = ?) ' good
 
Upvote 0

alfaiz678

Active Member
Licensed User
Thank you I understand many things now
The problem I have now is how to create a token on the server
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
Thank you I understand many things now
The problem I have now is how to create a token on the server

You just need to generate some random string using MD5 or SHA1 hashing algorithms.
There are few ways of implementing token.
PHP has built-in functions to generate that.
 
Upvote 0
Top