1

I'm making a button within my website that when clicked calls API from another site using PHP. I have to put my login details as variables in my PHP. I've seen some exploits where hackers are able to get the values on PHP variables by typing something in the address bar? Not sure if that's XSS or SQL injection or what, but I've seen where it will print out the PHP code in XML format.

Here's an example:

if (isset($_POST['submit'])) {
   $time = time(true);
   $prize = 200;
   $ID = "my_secret_API_ID";
   $Password = "my_secret_API_Password";
   $APIcall = json_decode(file_get_contents("https://apiwebsite/developer/$ID/get_info&pw=$Password"), true);
   $display = $APIcall ['some_info'];
   echo $display;
}

Are my login details safe? Should I make them global variables outside of the $_POST? Should I define them in a separate PHP file entirely and then use an include? Does it make a difference?

Improve this question

2 Answers 2

Reset to default
3

You never actually do anything with the data you receive from your form. There's no possibility of anything being vulnerable.

Isset returns only boolean values and therefore cannot be manipulated in such a way as to expose any of your application.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ok thanks. So when I've seen hackers exploit a site in the address bar and reveal some of the website code, is that only because their form wasn't properly escaped/sanitized?
@m1xolyd1an the thing is that how you deal with data matters, not where data comes from. Any vulnerability is caused by incorrect interpretation of some data (that is passed/transferred from somewhere)
1

I feel the other answer doesn't actually answer the question you asked. Ohgodwhy's answer relates to your $_POST variables and the poster is correct that if you are not using them then you are not vulnerable (unless PHP or another component you were using was - unlikely though).

I think your question was specifically related to this part of your code?

$ID = "my_secret_API_ID";
$Password = "my_secret_API_Password";

These variables should be safe provided there are no Local File Inclusion vulnerabilities (or similar) on your site. Make sure any other code running does not read local files and display them otherwise a nefarious user may manipulate them to display your credentials. Consider storing these in a database encrypted (it is always good to separate code and data where possible).

  echo $display;

This bit of code may be vulnerable if https://apiwebsite/developer/$ID/get_info&pw=$Password ever returns unencoded data that is beyond your control. e.g. if there is user data in the API and an evil user has put some <script> code in there, your site will run it unless you encode via htmlentities. This would be an XSS vulnerability. Your existing code is OK though if you fully trust apisite to correctly encode values that are beyond their control (and you fully trust apisite itself).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.