I am new on this stuff and this could be a simple question, but I want to validate the APIs came from a web site.
I am a reseller for a company with my own web site. All users are registered on the main company's website through my website which means usernames/passwords are stored with company's web site.
Now, I have some stuff on my web site which I want to show only to the registered users. Also, I have the API's to check username and password combination of any user which in return I get similar to the following message with the help of (file_get_contents):
If successful:
***<?xml version="1.0" ?>
<!DOCTYPE ValidateUser (View Source for full doctype...)>
- <ValidateUser>
<Customer>james</Customer>
<Result>Success</Result>
</ValidateUser>***
OR if failed, then:
***<?xml version="1.0" ?>
<!DOCTYPE ValidateUser (View Source for full doctype...)>
- <ValidateUser>
<Customer>james</Customer>
<Result>Failed</Result>
<Reason>User/Password combination unknown</Reason>
</ValidateUser>***
That was the situation, and I was thinking to write a PHP code with if statement which can check or validate the above message came from the API request, on basis of that I can allow or reject a user to visit that particular page on my web site.
Hope it makes sense to you.
Have a look at PHP SimpleXML. Parsing should be fairly easy using that.
Some code similar to the following should do the trick:
$result = file_get_contents('http://www.example.com/validate?username=john&pwd=mypwdhash');
$simpleXML = new SimpleXMLElement($result);
if ($simpleXML->ValidateUser[0]->Result == "Success"){
// success
} else{
// fail
}
Alternatively, you can just search for the word "success" within the XML string.
On a side-note: Using this methodology to authenticate users is not so safe, as it involves GET requests in which you mention usernames and password hashes (I assume you do use a password hash and not the plaintext password, right?).