Difference between revisions of "HTTP Post request to a PHP server"
(first entry) |
(better formatting) |
||
Line 1: | Line 1: | ||
== Introduction == | |||
LSL now offer the ability to request HTTP page from any website. | LSL now offer the ability to request HTTP page from any website. | ||
You can use different methods to access your webserver. | You can use different methods to access your webserver. | ||
Line 14: | Line 17: | ||
And your webbrowser will have little idea that this request is bogus. | And your webbrowser will have little idea that this request is bogus. | ||
This is where my library comes into action. | This is where my library comes into action. | ||
Line 27: | Line 31: | ||
Also the library uses a POST method, the POST method is not very different from GET but allow slightly more input parameters than GET, The POST method is also a bit more secure as the parameters do not appears in the cache statistics or similar tools. | Also the library uses a POST method, the POST method is not very different from GET but allow slightly more input parameters than GET, The POST method is also a bit more secure as the parameters do not appears in the cache statistics or similar tools. | ||
== Syntax == | |||
The main LSL function is called xrequest | The main LSL function is called xrequest | ||
Line 42: | Line 47: | ||
In the example below the script request a page using the parameters a=1, b=2 and c=3. | In the example below the script request a page using the parameters a=1, b=2 and c=3. | ||
<code> | <code> | ||
default | default | ||
{ | { | ||
touch_start(integer total_number) | |||
{ | |||
xrequest("http://www.yoursite.com/sl.php",["a","1","b","2","c","3"]); | |||
} | |||
http_response(key request_id, integer status, list metadata, string body) | |||
{ | |||
if (request_id == http_request_id) | |||
{ | |||
llSetText(body, <0,0,1>, 1); | |||
} | |||
} | |||
} | } | ||
</code> | </code> | ||
Line 64: | Line 69: | ||
<code> | <code> | ||
integer SECRET_NUMBER=123456789; | integer SECRET_NUMBER=123456789; | ||
xrequest(string url, list l) | xrequest(string url, list l) | ||
{ | { | ||
integer i; | |||
integer len=llGetListLength(l) & 0xFFFE; // makes the list count even | |||
string body; | |||
for (i=0;i<len;i+=2) | |||
{ | |||
string varname=llList2String(l,i); | |||
string varvalue=llList2String(l,i + 1); | |||
if (i>0) body+="&"; | |||
body+=llEscapeURL(varname)+"="+llEscapeURL(varvalue); | |||
} | |||
string hash=llMD5String(body,SECRET_NUMBER); | |||
http_request_id = llHTTPRequest(url+"?hash="+hash,[HTTP_METHOD,"POST",HTTP_MIMETYPE,"application/x-www-form-urlencoded"],body); | |||
} | } | ||
</code> | </code> | ||
Line 87: | Line 92: | ||
<code> | <code> | ||
<?php | <?php | ||
function checkHash() | |||
function checkHash() | { | ||
{ | $hash=$_GET["hash"]; | ||
$body=""; | |||
$cpt=0; | |||
$SECRET_NUMBER=123456789; | |||
foreach ($_POST as $name => $value) { | |||
if ($cpt++>0) $body.="&"; | |||
$body.=urlencode($name)."=".urlencode($value); | |||
} | |||
$calcHash=md5("$body:$SECRET_NUMBER"); | |||
if ($hash!=$calcHash) | |||
{ | |||
//sleep(2); // slow down the requests | |||
echo "result=FAIL\nMSG=Invalid hash"; | |||
die; | |||
} | |||
} | |||
} | |||
checkHash(); | |||
checkHash(); | // You can use the parameters here by simply using $_POST["parameter_name"] | ||
// You can use the parameters here by simply using $_POST["parameter_name"] | echo "OK"; | ||
echo "OK"; | ?> | ||
?> | |||
</code> | </code> | ||
This library could be improved, to treat output parameter too. | This library could be improved, to treat output parameter too. | ||
It doesn't do anything in this area yet. | It doesn't do anything in this area yet. |
Revision as of 15:59, 18 February 2007
Introduction
LSL now offer the ability to request HTTP page from any website.
You can use different methods to access your webserver.
The most obvious is GET, the get method allows any number of parameters.
The syntax is :
http://www.yourwebsite.com/pay.php?user=Corto+Maltese&amount=100
In the example above the page param1.php is requested with 2 parameters param1 and param2. The issue with GET is that if someone manage to sniff or guess your webpage, he could potentially take any webbrowser and type :
http://www.yourwebsite.com/pay.php?param1=Joe+Blog&amount=1000000
And your webbrowser will have little idea that this request is bogus.
This is where my library comes into action.
The LSL library takes every character in your HTTP request and compute a security HashCode. The library will then add this extra security hash parameter to your request like that:
When the server receive the request, it will be able to check that the hash provided is correct. If the request was tempered, the hash will not be correct, the server will therefore ignore the request and not allow Job Blog to pretend he has paid L$ 1,000,000.
Also the library uses a POST method, the POST method is not very different from GET but allow slightly more input parameters than GET, The POST method is also a bit more secure as the parameters do not appears in the cache statistics or similar tools.
Syntax
The main LSL function is called xrequest
xrequest(string Url, List Parameters)
Url :
is the address of your webpage. for example "http://www.yoursite.com/sl.php"
Parameters :
is a list of string, the list must be set in pairs using this format: [variable_name_1, variable_value_1, variable_name_2, variable_value_2, ...]
In the example below the script request a page using the parameters a=1, b=2 and c=3.
default
{
touch_start(integer total_number)
{
xrequest("http://www.yoursite.com/sl.php",["a","1","b","2","c","3"]);
}
http_response(key request_id, integer status, list metadata, string body)
{
if (request_id == http_request_id)
{
llSetText(body, <0,0,1>, 1);
}
}
}
Here is the code of the xrequest function. Note that you should change the SECRET_NUMBER to any number of your choice but preferably something rather large and random up to 2,000,000,000.
integer SECRET_NUMBER=123456789;
xrequest(string url, list l)
{
integer i;
integer len=llGetListLength(l) & 0xFFFE; // makes the list count even
string body;
for (i=0;i<len;i+=2)
{
string varname=llList2String(l,i);
string varvalue=llList2String(l,i + 1);
if (i>0) body+="&";
body+=llEscapeURL(varname)+"="+llEscapeURL(varvalue);
}
string hash=llMD5String(body,SECRET_NUMBER);
http_request_id = llHTTPRequest(url+"?hash="+hash,[HTTP_METHOD,"POST",HTTP_MIMETYPE,"application/x-www-form-urlencoded"],body);
}
On the server side here is the PHP function which will allow your server to check the securty hash:
<?php
function checkHash()
{
$hash=$_GET["hash"];
$body="";
$cpt=0;
$SECRET_NUMBER=123456789;
foreach ($_POST as $name => $value) {
if ($cpt++>0) $body.="&";
$body.=urlencode($name)."=".urlencode($value);
}
$calcHash=md5("$body:$SECRET_NUMBER");
if ($hash!=$calcHash)
{
//sleep(2); // slow down the requests
echo "result=FAIL\nMSG=Invalid hash";
die;
}
}
checkHash();
// You can use the parameters here by simply using $_POST["parameter_name"]
echo "OK";
?>
This library could be improved, to treat output parameter too. It doesn't do anything in this area yet.