I am setting up some PHP pages to provide API services to users (and my applications).
In its most basic form, it looks like this:
<?php
require("include.php");
$page = new Page();
$authZone="general";
$auth = $page->authenticate($mySystemUserId,$authZone);
if ($auth[0]!="AUTHORIZED") {
exit('<h1 class="access-denied">ACCESS DENIED</h1>');
}
header('content-type:application/json');
if (isset($_REQUEST['q'])) {
$q = $_REQUEST['q'];
} else {
exit();
}
if ($q=="") {
}
?>
Essentially it opens the page and checks to see what "query" or "service" to run ($_REQUEST['q']
).
Then it seems to run whatever code block is applicable to that service and then returns it in JSON format.
As I have never seen any "official" standard on how to set up a secure API service, I would like any other professional to review this and say:
a) This looks fine b) Mostly fine but you need to correct ______________ c) Wow, you got it totally wrong. Take a look at (hyperlink) and come back when you come out of the 80s...