Welcome Guest, Not a member yet? Register   Sign In
Creating an API
#1

[eluser]dmorin[/eluser]
I'm starting to add an API to my CI site and I wanted to ask the community if they have any advice. So specific things I'm wondering:

Does anyone have a hack to get CI to ignore the querystring part of the url and just route based on the url before the "?"? I would like to be able to pass parameters through the querystring but in my experience it completely screws up the routing. This is one place I would love to see CI improve. (contrary to CI belief, $_GET is not the root of all evil ;-) )

Other apis I've seen have used a fake filetype syntax to indicate the type of output they would like to receive (ex: user.json versus user.xml). I'm assuming this is possible through routing, but if anyone has anything specific, please share!

Any other best practices or things you like/dislike about other APIs? Thanks in advance!
#2

[eluser]missionsix[/eluser]
[quote author="dmorin" date="1220231478"]
Does anyone have a hack to get CI to ignore the querystring part of the url and just route based on the url before the "?"? I would like to be able to pass parameters through the querystring but in my experience it completely screws up the routing. This is one place I would love to see CI improve. (contrary to CI belief, $_GET is not the root of all evil ;-) )
[/quote]

I've gotten routing to work along with query strings by changing the variable

Code:
$config['uri_protocol']    = "AUTO";

to

Code:
$config['uri_protocol']= "ORIG_PATH_INFO";

Although this worked for my server / setup, it may not work on yours. I'm just letting you know that it is possible to use pretty urls along with query strings to achieve that perfect url structure!
#3

[eluser]dmorin[/eluser]
Thanks for the tip. "ORIG_PATH_INFO" didn't work for me, but "PATH_INFO" did. Now I can have a querysting and CI doesn't die.

On a related note, can anyone explain to me how not resetting $_GET to a blank array is a security concern? Why does CI do this? Do we really need that much protection from ourselves? I think I understand security fairly well and realize that we need to protect against sql injection, cross site scripting, etc, but I can't think of a situation where just having the $_GET array populated is a security concern.
#4

[eluser]dmorin[/eluser]
Also, for anyone who may come across this later, I am using the following route to pull off the fake filetype and pass it to the controller method as an argument:

Code:
$route['^api\/([a-zA-Z_]+)\/([a-zA-Z_]+)\.?([a-zA-z]{3,4})?'] = "api/$1/$2/$3";

I have a folder called API within the controllers folder. Then every API request will have the controller ($1), method ($2), and optional format ($3).

If anyone has any suggestions on how to improve this, I would love to hear it. Thanks.
#5

[eluser]Colin Williams[/eluser]
Quote:but I can’t think of a situation where just having the $_GET array populated is a security concern

So set enable_query_strings to TRUE, set uri_protocol to something other than QUERY_STRING or AUTO (because we want clean URIs and don't want CI to think it needs to use the controller/function triggers in the query string) and get on with life. It's good to know how these settings actually work so you know what you need to, well, set them as.
#6

[eluser]dmorin[/eluser]
Perfect. I had set enable_query_strings to true in the past, but didn't put it together that you also had to hide the querystrings from CI by not using auto for the uri_protocol. That is great to know and makes perfect sense now that you mention it. It would be great if this could be added to the documentation as it's not entirely clear in its current form.

As for the whole "get on with life", I was asking because it doesn't seem to make sense why CI would go out of its way to destroy the $_GET variable. For the most parts, the CI defaults are very well thought out and I just don't understand this one.

Alas, I will get on with my life. Thanks for the config tips.
#7

[eluser]Colin Williams[/eluser]
Please take that "get on with life" thing lightly. You know, the whole thing about emptying $_GET falls under the "Security" heading in the Input class documentation, but when the EllisLab guys have stepped up and explained their reasoning behind it, it really never has anything to do with security. It's more like, and I'm paraphrasing, "we do it because we don't need it if we have clean URIs." Take that for what it's worth. The point is, there's a workaround.

Also, I'm so glad that you "get" it. I don't usually have such luck. 2-2 this Labor Day Weekend though! Hoorah!




Theme © iAndrew 2016 - Forum software by © MyBB