开发者

Hide header post data

I have never used APIs before.

I am trying to SMS-enable my website. My SMS provider provides an HTTP API to send messages from my website. It works well. However, it's not secure. The API requires number, message, username and password, and can be sent using post or get. There is no HTTPS support.

I am currently passing the number and message which the user enters to a page whi开发者_开发百科ch reposts the values along with username and password using curl. The HTTP headers still contain the post fields, meaning anyone can see my username and password. Is there a way around this? I know switching providers is an option, since they don't have SMTP, XML or HTTPS APIs.


Edit: Can I mail the number and text to my mailserver, which can trigger a PHP script based on contents of the mail which will then post it to the SMS gateway with the username and password? Possible? At least that way the end user won't be able to see the username and password.


Unfortunately there's nothing you can do.

One popular SMS gateway API that supports HTTPS is Clickatell.

It covers 819 networks in over 220 countries. Apart from HTTP and HTTPS, they also support SMPP, SMTP, FTP, XML, SOAP and COM.

The HTTP/S method works in a very similar way to the service you are describing. If I remember correctly, you'd pass all the details through a GET request. You could keep using curl as you are doing now.


As for message costs, Clickatell uses a credit based system. 1 credit will generally mean 1 message, but some destinations may charge a bit less (usually 0.8 of a credit) and some may charge more (usually 1.5 or 2). Apparently this depends on the network operators in the particular region. (Source)

1 credit is currently priced at USD 0.03 / EUR 0.022 / GBP 0.02. There is a minimum requirement of 400 credits, so the initial investment can be of just USD 12. (Source)


If they can't provide SSL, then it will be visible to everyone between you and the remote server. That's just the way things work.


Unless you have access to the server side code, you cannot do anything about this.

If you do have access to the server side code, you can use a two-way encryption algorithm such as this one.


The client side should not include your password. Only the user related details (sms, phone number) should be entered there and SENT TO A PAGE ON YOUR SERVER. The page on your server is where the sms provider password is held. The page then calls the sms provider. In this case https is less important (the data is not visible to end users, only to people with access to the network between your server and the sms provider server).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜