I have been working on an android application project that uses HTTP Get to send and receive data from MySQL through a PHP file using JSON from Java.
I have lately been running into some issues in theory behind best practices using HTTP Transport and passing Parameters via a URL.
First Question:
How should I be passing my data to my PHP Webservices ?
Currently I am just passing the data through single parameters using key value pairs like so:
myurl.com/retrieveinfo.php?user_id=453&password=sha1-hash-value
Should I be moving this type of request to append a JSON object onto the URL instead? like so:
myurl.com/retrieveinfo.php?{\"users\":{\"username\":\"User1Name\" ,\"user_id\":453 , \"password\":\"sha1-hash-value\"}}
Second Question:
*How should I be handling the JSON Response from the Server ? Do I need to push this work off to a handler and make sure the UI Thread is not the one doing this work? *
Currently I am just parsing the JSON using separate methods for each Object Type such as
User.Class
private void parseUserInfo(JSONObject response){
// Do all my Parsing for a User Object
try{
JSONArray users = response.getJSONArray("users");
JSONObject user = users.getJSONObject(0);
// Get the User info etc...
}catch(JSONException ex){
ex.printStackTrace();
}
}
Notes.Class
private void parseNotes(JSONObject response){
// Do all my Parsing for a Note Object
try{
JSONArray notes = response.getJSONArray("notes");
for (int index = 0; index < notes.length() ; index++)
{
JSONObject note = notes.getJSONObject(index);
// Get all the note info etc...
}
}catch(JSONException ex){
ex.printStackTrace();
}
}
Third Question:
I would like my PHP server files to only work for my Application. So what is the best way to secure my PHP files on my server so a request to my files wont go through if its run in a browser ?
Should I be sending some temp key that only my application knows about ?
Thanks
You don't really want to put a JSON object on the url as a query parameter. The real two debates that I see is that you either 1) use the key value pairs you were using, or 2) make this a POST and send the JSON as a payload. Since you are not planning on exposing the API to anyone, I don't really find it important for you to follow standard nomenclatures. Do whatever you want to do. However, from a REST standpoint, anything that retrieves info should be a GET call, and the data should be key-value pairs on the query string. However, it looks like you are passing in a username and password (ok, the sha of the pass). It is considered best practice to always pass user info as the payload. So almost all login type protocols use a POST for user data. User-id's or session id's are common in the query string but usernames and passwords should almost always be in a payload. Note: sometimes in TLS (SSL) it is considered ok to include these things in the query string.
Honestly, I would just use Jackson. https://github.com/FasterXML/jackson But otherwise, it is normal to have a seperate layer for parsing. In otherwords, one class handles all the parsing. You do not want to put this code inside your models if you can avoid it. The new layer would handle parsing and would pass the Java Model objects down to the next layer.
The easiest way to do this would simply be to check the user-agent header on the request. Make sure that the user-agent is your application, and not a browser. However, it would still be possible for people to "spoof" this. Using a temp key wouldn't really help either, because once people sniff the traffic they can figure out the temp key. The standard thing here is to do some type of session based key, where the application sends some type of MAC in order to prove it is a valid client. You could also consider using OAUTH2 to protect your api's.