B4J Question Questions in REST API Server

A

AlfaizDev

Well-Known Member
Licensed User
Sort by date Sort by votes
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
in terms of security
Click to expand...
It is a never ending story and no one bulletproof solution on security. You judge yourself whether it is sufficient for your use case.

alfaiz678 said:
requirements
Click to expand...
For the former, it can be hosted on shared hosting. For the latter, it needs to be hosted on VPS as you need to run java app on the server.

For small or medium project, I don't think you need to worry at this stage.
 
Last edited:
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
aeric said:
It is a never ending story and no one bulletproof solution on security. You judge yourself whether it is sufficient for your use case.


For the former, it can be hosted on shared hosting. For the latter, it needs to be hosted on VPS as you need to java app on the server.

For small or medium project, I don't think you need to worry at this stage.
Click to expand...
Well on this I will continue with the previous solution php*mysqli_query but are there any commandments in this solution to get some security
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
The php project above is very minimum. You can use my other project for better practices.

(PHP/MySQL/API) User Login App

Web API Updates: Latest B4XPages user login client apps (using B4J server): https://www.b4x.com/android/forum/threads/project-template-user-login-client-b4x.161914/ Older project: https://www.b4x.com/android/forum/threads/b4j-mysql-api-server-key-token-and-b4x-user-login-apps.126081/...
www.b4x.com www.b4x.com
If you are comfortable with PHP, you can use other frameworks such as Laravel to handle security for you.

I recommend to use PDO compare to using mysqli.
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
aeric said:
The php project above is very minimum. You can use my other project for better practices.

(PHP/MySQL/API) User Login App

Web API Updates: Latest B4XPages user login client apps (using B4J server): https://www.b4x.com/android/forum/threads/project-template-user-login-client-b4x.161914/ Older project: https://www.b4x.com/android/forum/threads/b4j-mysql-api-server-key-token-and-b4x-user-login-apps.126081/...
www.b4x.com www.b4x.com
If you are comfortable with PHP, you can use other frameworks such as Laravel to handle security for you.

I recommend to use PDO compare to using mysqli.​
Click to expand...
Thank you
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
I tried pdo
I found this simple code
It works fine
What do you think of it?
Can you add some simple security touches to it?
Sorry for the inconvenience

PHP: 
<?php
header("Content-Type: application/json");
include 'db.php';

$method = $_SERVER['REQUEST_METHOD'];
$input = json_decode(file_get_contents('php://input'), true);

switch ($method) {
    case 'GET':
        handleGet($pdo);
        break;
    case 'POST':
        handlePost($pdo, $input);
        break;
    case 'PUT':
        handlePut($pdo, $input);
        break;
    case 'DELETE':
        handleDelete($pdo, $input);
        break;
    default:
        echo json_encode(['message' => 'Invalid request method']);
        break;
}

function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

function handlePost($pdo, $input) {
    $sql = "INSERT INTO users (name, email) VALUES (:name, :email)";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['name' => $input['name'], 'email' => $input['email']]);
    echo json_encode(['message' => 'User created successfully']);
}

function handlePut($pdo, $input) {
    $sql = "UPDATE users SET name = :name, email = :email WHERE id = :id";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['name' => $input['name'], 'email' => $input['email'], 'id' => $input['id']]);
    echo json_encode(['message' => 'User updated successfully']);
}

function handleDelete($pdo, $input) {
    $sql = "DELETE FROM users WHERE id = :id";
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['id' => $input['id']]);
    echo json_encode(['message' => 'User deleted successfully']);
}
?>
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
I tried pdo
I found this simple code
Click to expand...
Your code is fine but it seems you are limited one query per http method.
You can rename it to more meaningful name such as ListAllUsers() instead of handleGet().

The time I created the example (PHP/MySQL/API) User Login App, I am not sure PHP supported PUT and DELETE methods. I just use POST to execute the Update and Delete queries.

If you have checked my example, I use API Key. This is one way to make it more secure, without requiring the user to login every time to communicate with the server. Of course the better way is to use Access Token because API Key is designed for long time login while Access Token is for short time session. If the admin found there is a security breach, it is easier to revoke the access of a short term access token than a long term access token.

If you understand how API Key works, creating access token is something similar. You just need to generate some random string using MD5 or SHA1 hashing algorithms.
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
aeric said:
Your code is fine but it seems you are limited one query per http method.
You can rename it to more meaningful name such as ListAllUsers() instead of handleGet().

The time I created the example (PHP/MySQL/API) User Login App, I am not sure PHP supported PUT and DELETE methods. I just use POST to execute the Update and Delete queries.

If you have checked my example, I use API Key. This is one way to make it more secure, without requiring the user to login every time to communicate with the server. Of course the better way is to use Access Token because API Key is designed for long time login while Access Token is for short time session. If the admin found there is a security breach, it is easier to revoke the access of a short term access token than a long term access token.

If you understand how API Key works, creating access token is something similar. You just need to generate some random string using MD5 or SHA1 hashing algorithms.
Click to expand...
Unfortunately, I do not understand how to create an access token or an API key. If I find an easier example, I will start with it. I saw your project and downloaded it, but I did not understand it well. Because it is extended
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
Unfortunately, I do not understand how to create an access token or an API key. If I find an easier example, I will start with it. I saw your project and downloaded it, but I did not understand it well. Because it is extended
Click to expand...
Start with my project with API key above.

When a user register his email, the user table is inserted a new row with his profile and activation code.
He need to click on the activation link inside his email to activate his account. This is to ensure the email is authentic.
Once his account is activated, he can login using the app.
If he login successfully, the server will generate an API key automatically to return to the app and store in local db.
Further access is using the API key.
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
switch ($method) {
case 'GET':
handleGet($pdo);
break;
Click to expand...
PHP: 
function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

You already have one function to return all users.
If you want to add another GET endpoint to query a single user, how would you add it?
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
aeric said:
PHP: 
function handleGet($pdo) {
    $sql = "SELECT * FROM users";
    $stmt = $pdo->prepare($sql);
    $stmt->execute();
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($result);
}

You already have one function to return all users.
If you want to add another GET endpoint to query a single user, how would you add it?
Click to expand...
I will make many modifications to this code Change the labels And other functions when browsing with the where clause But this is just a general form for the intermediate php page Only Thank you

PHP: 
$stmt = $pdo->prepare("SELECT * FROM users WHERE id=:id");
$stmt->execute(['id' => $id]);
$user = $stmt->fetch();

Something like this
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
I hope to reach this stage that you indicated to me previously But I have not succeeded so far
PHP: 
$stmt = $pdo->prepare("SELECT * FROM users WHERE id=:id
AND id IN (SELECT id FROM user WHERE user_token = :user_token)");
$stmt->execute(['id' => $id],['user_token' => $user_token]);


sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? AND user_id = ? AND user_id IN (SELECT user_id FROM user WHERE user_token = ?) ' good
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
Thank you I understand many things now
The problem I have now is how to create a token on the server
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
Thank you I understand many things now
The problem I have now is how to create a token on the server
Click to expand...

aeric said:
You just need to generate some random string using MD5 or SHA1 hashing algorithms.
Click to expand...
There are few ways of implementing token.
PHP has built-in functions to generate that.
 
Upvote 0
You must log in or register to reply here.
Top