Please forgive me for my ignorance in advance, I'm a rookie when it comes to PHP. An iOS app I'm experimenting with has an already-built PHP API that makes requests as such:
NSURL *url = [NSURL URLWithString:[NSString stringWithFormat:@"http://beta.myapp.com/api/addUser.php?id_user=%@&user_email=%@&user_f_name=%@&user_l_name=%@&user_mobile=%@", iduser, email, fName, lName, mobileText]];
NSMutableURLRequest *request=[NSMutableURLRequest requestWithURL:url];
NSOperationQueue *queue = [[NSOperationQueue alloc] init];
[NSURLConnection sendAsynchronousRequest:request queue:queue completionHandler:^(NSURLResponse *response, NSData *data, NSError *error) {
if (error) {
NSLog(@"Error,%@", [error localizedDescription]);
} else {
// Do some stuff
}
}];
However, this URL would be vulnerable from anyone who finds the URL to just enter any data they want through a web browser, right?
How would I secure these requests so that someone can't type that URL with their own parameters into an address bar?
One way to do it would be to make your PHP API a HTTPS connection, requiring the correct authorization header to perform the POST request. You pass in an authorization header like this:
//Auth header
NSString *authStr= [NSString stringWithFormat:@"%@:%@",usernameOfAdmin,passwordOfAdmin];
NSData *authData = [authStr dataUsingEncoding:NSASCIIStringEncoding];
NSString *authValue = [NSString stringWithFormat:@"Basic %@", [authData base64EncodedStringWithOptions:NSDataBase64EncodingEndLineWithLineFeed]];
[request setValue:authValue forHTTPHeaderField:@"Authorization"];
Then, you could have admin credentials that are required for every POST request. And you could even use an encryption algorithm to make sure your iOS users don't get a hold of the username & password. When a proper sign up is performed from your iOS app, you would use these credentials. Someone else accessing your PHP API would not know the username and password.