Web developers notes,programming tutorials.

Ok, so you’ve written a cool new Web API and you’ve written l33t JavaScript to call it from your page. The problem is, anybody who views your source can see how you call your new toy and use it for their own nefarious purposes. Granted, sometimes this is what you want but there are times when you want to keep your toys to yourself. For those times, here is a quick trick you can implement that will help thwart most evil doers.

It should be noted that this technique, like many security measures, is not foolproof, it can be circumnavigated by the determined. It should be used as part of a multi-faceted security strategy.

Summary for the Impatient

For those anxious to skip ahead, here’s the gist of the idea. You store a secret in your $_SESSION. Then you place that value in your JavaScript. When you make calls back to your API, you pass this secret back as a parameter. Your API checks it against the $_SESSION and if they match, you know that the API was called from your web page.

Details for the Patient

The one thing that people hijacking your API don’t have access to is information stored in your $_SESSION. This concept works on the basis that only your code has access to your $_SESSION and that we store a secret in there and then rotate it often. In practice, it’s pretty easy.

In your PHP code create a value in the session, we will call it ajaxKey.

<?PHP
$_SESSION['ajaxKey'] = md5(mktime());
?>

In the above example, I’m using the md5() of the current time. While this will work, it is a predictable value therefore it is not the most secure secret to use. In a production environment, I would want something random. The idea is to create something that is not easily guessed.

Once you have stored your secret you need to let your webpage know what it is. In your web page, find a convenient place in your JavaScript code and put something like this:

var ajaxKey = '<?PHP echo $_SESSION['ajaxKey']; ?>';

Now both your API and your JavaScript know the secret. This works because API calls to the server are calls from the same browser therefore both have access to the same $_SESSION.

In your ajax call to your API, pass the secret back as a parameter. Here’s an example using prototype’s Ajax class.

var myAjax = new Ajax.Request(
"http://example.com/myAPI.php?ajaxKey="+ajaxKey,
{
method: 'get',
onComplete: displayData,
});

In your API code, you will check first for the existence of the parameter ajaxKey and then check it for a match with the $_SESSION. If they don’t match then immediately fire your photon torpedoes at the intruder and slam the door.

By changing this on every new page call, you effectively expire old keys and prevent people from caching them for later use.

That’s it, a simple but effective way you can protect your API from unwanted usage. As I stated at the beginning, it is not fool-proof. There are other ways of protecting your API such as a login and password check. Those however require not only more code but management.

Firstly let’s find the extension that is needed for this exercise. If you installed php on a windows platform, then the php_pdf.dll, on my computer it is located at C:\PHP\php-4.3.1-Win32\extensions. If you are using a linux platform, believe you’ll need to download this dll file.

Now, in your php.ini file remove the “;” character in front of the extension=php_pdf.dll line. Since we updated the ini file, we must restart the apache web server so that the web server can reinitialize the php with the php_pdf library included.

Create a php file with the following code,

<html>
<head>
<title>Name Entry Level</title>
</head>
<body>
<table border=”0″ width=”100%” height=”100%”>
<tr>
<td valign=”middle” align=”center”>
<form method=”POST” action=”pdf_file.php”>
<p>
<font size=”3″ face=”Arial”>
Enter your name here please =>
<input type=”text” name=”userName” size=”20″ maxlength=”20″>
</font>
</p>
<p>
<input type=”submit” value=”Submit” name=”B1″>
<input type=”reset” value=”Reset” name=”B2″>
</p>
</form>
</td>
</tr>
</table>
</body>
</html>

Now we will grab the post information. That is, the page we take the user information ($user) will be added to the hyperlink and pdf file.

$user = $HTTP_POST_VARS[”userName”];

Now, we are ready to start. Firstly let’s create a blank pdf file, say bennyboy.pdf. To do this we set a object, say $pdf, to handle pdf manipulations.

<?php
$pdf = pdf_new();

Pass the object at the first position in all of the PHP pdf functions when required for that page. To open the file, code we use the pdf_open_file function.

pdf_open_file($pdf, “C:\bennyboy.pdf”);

This should create a blank new pdf file size 0kb. The new file has no properties, so let’s assign some. You’ll need to use the pdf_set_info function for this.

pdf_set_info($pdf, “Author”, “Ben Shepherd”);
pdf_set_info($pdf, “Title”, “Creating a pdf”);
pdf_set_info($pdf, “Creator”, “Ben Shepherd”);
pdf_set_info($pdf, “Subject”, “Creating a pdf”);

Now we have all the particulars taken care of let’s do some pdf manipulation. Top begin we need to use the pdf_begin_page function. The parameters, apart from the first which is always $pdf, are measures in of the width and height respectively. A4 is 595 x 842, Letter is 612 x 792 and Legal is 612 x 1008.

pdf_begin_page($pdf, 595, 842);

Now it is time to assign a text font for the information to be displayed. Simply use the pdf_findfont and pdf_setfont to do this. I choose the Arial font type with size of 14.

$arial = pdf_findfont($pdf, “Arial”, “host”, 1);
pdf_setfont($pdf, $arial, 14);

Now we have set the font type, it is time to use it. To display text in the pdf file you must use the pdf_show_xy function. The x-values (i.e. the third parameter), start from the left hand side of the page and move to the right. The y-values start from the bottom of the page and work towards the top.

So, it is said that, when you work with the pdf_show_xy function the page starts at the bottom left hand corner of the page. So if we wish to type some text 50 units from the left of the page and 400 units from the bottom of the page you would type the following.

pdf_show_xy($pdf, “>Type your info here<”,50, 400);

But you may not want just text on a page. If you are creating a pdf document for a client you may wish to display a logo. There are functions like pdf_open_gif and pdf_open_jpeg that will open up images and assign them to an object to use in the document.

$gif_image = pdf_open_gif($pdf, “baseball.gif”);

To put the object onto the pdf file you use the pdf_place_image function with the parameter being pdf file, image file, x-value, y-value and scale repectively.

pdf_place_image($pdf, $gif_image, 200, 300, 1.0);

You must close the image to put it out of use.

pdf_close_image($pdf, $gif_image);

Let’s end the pdf manipulation process by using the pdf_end_page and the pdf_close functions.

pdf_end_page($pdf);
pdf_close($pdf);

Now to view your pdf file, simply create a link to open the pdf in a new window.

echo “<A xhref=\”C:\bennyboy.pdf\” TARGET=\”_blank\”>Open pdf in a new window $user</A>”
?>

Now, we want to display that timestamp in a human readable format. To do that we have to understand the date(); function. This date function is used to convert from a UNIX timestamp to a human readable date. The date function is:

string date ( string format [, int timestamp])

You can see that the timestamp is rounded by ‘[’ and ‘]’, that means it’s optional. If we put it then the function will use it and if we don’t put it then the function will use the default timestamp. The default timestamp which is used when we don’t put any timestamp is the current time.

Let’s start our work with the date function. We want to show the user what date and time is now.

print date(”l, F jS Y - H:i:s”);

As you can see on the example above, I use l, F jS Y - H:i:s as the variable passed to the function. Here is a list of formatting characters used:

F - month, textual, long; e.g. “January”
H - hour, 24-hour format; i.e. “00″ to “23″
i - minutes; i.e. “00″ to “59″
j - day of the month without leading zeros; i.e. “1″ to “31″
l (lowercase ‘L’) - day of the week, textual, long; e.g. “Friday”
s - seconds; i.e. “00″ to “59″
S - English ordinal suffix for the day of the month, 2 characters; i.e. “st”, “nd”, “rd” or “th”
Y - year, 4 digits; e.g. “1999″