0

I have made a API script for my website, so people can login from another website. It's using PHP cuRL to POST data to my website.

I'm using a api key (md5 hash of the website) to verify the website with my MySQL database. But when someone is using my API Client (PHP cURL), they also can save the username's and passwords of my user's.

How can i prevent this?

Improve this question
1
  • 1
    Don't allow users of your api to access any table they want? The API methods should be configured to do a specific task. Commented Mar 4, 2011 at 0:05

3 Answers 3

Reset to default
2

You might want to consider using OAuth. It's designed for exactly what you want to do.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I someone is typing their username and password onto a website other than your own, there is no way for you to prevent the owner of the website from capturing it...

Improve this answer

Comments

0

What you'll want to do is have your site generate a secure set of credentials for the users account, similar to a username/password, but only to be used by the API. Also, prevent this new set of credentials from having the ability to do things like delete the user's account or change email address.

Also, give the users the ability to have their API credentials changed if they want (in case a third party gets it and the user no longer wants them to have access).

Improve this answer

1 Comment

So if i'll just create a second username and password that are different from the website login, it will be save?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.