Level 28
First my question:
Why are you encoding the data?
1 like
Jun 5, 2019
6
Level 2
Can i Make this API more secure ?
Hi,
1 - the User will Fill the forms to buy Something . 2 - encode the form data and send it to API. 3- API will check/release the product .
form:
<form method="POST" action="https://..API" @submit="encodeForm" >
<input type="hidden" name="QUANTITY" :value="q">
<input type="hidden" name="CURRENCY" :value="currency">
<input type="hidden" name="EMAIL" :value="match">
<input type="hidden" name="m_sign" :value="m_sign">
...
..
<button type=submit> buy </submit>
</form>
Vue method
encodeForm(){
event.preventDefault();
axios.get('/encode', {
params: {
currency: usd,
quantity:2,
id:1
..
.
}
.then(function (response) {
this.m_sign= response.data;
e.target.submit();
}
}
encode.php
encode(Request $request){
$secret='123';
$arHash = array(
$id,
$currency,
$quantity,
$m_curr,
$m_desc
);
$m_key = md5($secret);
$arHash[] = $m_key;
$sign = strtoupper(hash('sha256', implode(':', $arHash)));
return $sign ;
}
API.php:
class API extends Controller
{
public function API (Request $request){
$secret='123';
// Rejecting queries from IP addresses not belonging to orgingal website
if (!in_array($_SERVER['REMOTE_ADDR'], array('123.123.12.1'))) return;
// HMAC Signature check at this point using $secret key
arHash = array(
$_POST['1'],
$_POST[2'],
...
)
$arHash[] = $secret;
$sign_hash = strtoupper(hash('sha256', implode(':', $arHash)));
if ($_POST['m_sign'] == $sign_hash)
{
}
// Check the original price/currency to make sure the buyer didn't change it.
//release the product
}
}
shoud i use laravel passport for this
Level 2
@FTIERSCH - cause i wanna hash the form data with a $secret key , than in the API.php i rehash the received input with same key and compare the two.
but it's not correct cause anyone can send the data to '/encode' and received as hashed
1 like
Level 73
Just use https and you should be good to go without giving yourself extra steps that makes your code complex.
https://stackoverflow.com/questions/21528916/how-to-safely-submit-a-form-over-https
or if you like a more in depth explanation https://en.wikipedia.org/wiki/HTTPS
2 likes
Level 28
Exactly what @tray2 is saying. It's good that you care about security but that's the whole purpose of HTTPS so no one can intercept the communication and read it.
Otherwise you would have to encode the whole thing in JavaScript. But since your JavaScript is per definition readable from the browser a hacker can still read it.
1 like
Level 2
@FTIERSCH - ok thanks,
should i make the page as php and insert {!! csrf_field() !!} inside the form?
Level 28
@MOUKBEL - If you want to send it via AJAX you can send a header with the CSRF token. I think the header is called X-CSRF-TOKEN and works exactly the same way as csrf_field :)
1 like
Please or to participate in this conversation.