Online DB content

**M109uk** · 07-12-2004, 06:36 PM

Thanx for that cairnswm,

I have written a simple web service, i have got it sort of working with MySQL, except for some reason it doesnt execute a procedure anymore, but that doesnt matter yet.

Is it at all possible to call a procedure in the webserive via PHP from the webserver, what i have is a User account that has a unique account number, similar to ICQ, i have created a function that generates the account number in my web service and results it, but i want to be able to register an account from my website too, so idealy i would like to have in a PHP script:
$userID = cgi-bin/xshell.exe/createUserID();

Of course i doubt it'l be that simple but is it possible?

**cairnswm** · 08-12-2004, 06:22 AM

Unfortunatly I am not a php programmer so I am not sure.

In ASP (Which I use for web development) you can use the XMLHTTP activeX control to do the same thing as WebLive does. This then returns the results of the call as a string that can be used in the program.

Here is some php code I found (this will, I presume, only work on a windows server):
http://www.webpronews.com/webdevelop...POnTheFly.html

Aaahh!!! I found what you need!
http://hacks.oreilly.com/pub/h/175

Let me know if you get it working.[/code]

**cairnswm** · 08-12-2004, 06:33 AM

Also look at:

http://magpierss.sourceforge.net/

Its an RSS reader but an RSS reader means it needs to get info from another web site. Therefor you should be able to modify it so you can use it to call your service.

**M109uk** · 09-12-2004, 01:08 AM

Hi cairnswm,

Aaahh!!! I found what you need!
http://hacks.oreilly.com/pub/h/175

Thanx for that, i have managed to get it to work, had to do a bit of guess work but i got it with the following code:

Code:

<?php
  require_once&#40;'nusoap/lib/nusoap.php'&#41;;

  $soapclient = new soapclient&#40;'http&#58;//localhost/cgi-bin/XShell.exe/wsdl/IXShellService', 'wsdl'&#41;;
  $parameters = array&#40;'XSID'=>'0000/AAA0/AA-00'&#41;;
  $username = $soapclient->call&#40;'GetUsername', $parameters&#41;;
  $password = $soapclient->call&#40;'GetPassword', $parameters&#41;;
  
  $xsid = $soapclient->call&#40;'GenerateXSID'&#41;;
  echo 'Username&#58; <b>' . $username . '</b><br>Password&#58; <b>' . $password . '</b><br>';
  echo 'XSID&#58; <b>' . $xsid . '</b><br>';
?>

I hav'nt seemed to test it with other functions yet, specialy to see if it works with a class :s if you have any ideas?

**cairnswm** · 09-12-2004, 04:59 AM

What do you mean to see if it works for a class?

The wsdl wraps the web service class in a way that any language should be able to read it. (If the language is web service enabled)

**M109uk** · 09-12-2004, 08:13 PM

i mean by when you call a function you recieve a class, like in the example provided when you first create a web service, you call a function to recieve the TEmployee class, i have a similar class and function, but i call it i get an array back from it, how ever i have tried several ways of getting the propertise from the resulting class..

Example class being resulted:
[pascal]
TXShellUser = Class(TRemotable)
public
Username: String;
Password: String;
XSID: String;
end;

TXShellService = Class(.. , ..)
....
function GetUser(XSID: String): TXShellUser; stdcall;
end;
[/pascal]

i use the following to call the function in PHP:

Code:

<?php 
  require_once&#40;'nusoap/lib/nusoap.php'&#41;; 

  $soapclient = new soapclient&#40;'http&#58;//localhost/cgi-bin/XShell.exe/wsdl/IXShellService', 'wsdl'&#41;;  
  $user= $soapclient->call&#40;'GetUser'&#41;; 
  echo 'Username&#58; <b>' . $user&#91;0&#93; . '</b><br>'; 
  echo 'Username&#58; <b>' . $user&#91;"0"&#93; . '</b><br>'; 
  echo 'Username&#58; <b>' . $user&#91;"Username"&#93; . '</b><br>';
  echo 'Username&#58; <b>' . $user&#91;'username'&#93; . '</b><br>';
  echo 'Result&#58; <b> . $user . </b><br>';
?>

But all i get back is

Username:
Username:
Username:
Username:
Result: Array

This might be a PHP question more than a delphi/web service one, but a have accessed arrays like above before with out any problems, and i couldnt find any alternatives on the web. I hope i make sense lol

**Harry Hunt** · 09-12-2004, 10:51 PM

First of, using SOAP is probably a pretty good idea.

I'm just gonna lose a few words on security, in case you choose your client app to communicate with a script on your server:

You would be passing information to your script through GET or POST variables. I recommend using POST variables and have your script ignore the GET variables completely. If you're using PHP, make sure register_globals is set to "off" in your php.ini as having it set to "on" is a major security risk.

The first security measure you should take is, to restrict access to your script with a password. This password would have to be sent to the script whenever you're requesting something. The script would validate the password and do nothing unless the password is correct.

The second measure you should take is to encrypt any data transfered between your client and your script. The easiest way to achieve that is to simply use SSL. Alternatively, you could RSA-encode all data manually. Since the exe would only need the public key, it can be hard-coded into yoru EXE or even be located in a text-file.

The third and probably the most important measure is to validate anything you write into the database (for example using regular expressions). If for example you're adding a new user to your database, remove all special characters form the information provided by the client app. If you do something like

UPDATE users SET username='$username', password='$password' WHERE id='$id'

you probably can imagine how easy this can be exploited to reset other people's passwords to whatever you want, as long as the information from the client app is inserted into your queries unfiltered.

Of course this still isn't absolutely safe. You might also want to give your client a specific useragent which is then checked for by the script and you could use some kind of authorization procedure where the script sends you a string of numbers and letters that you somehow process and send back to the server. There's really a lot you can do to secure the system, the information above is really just a guideline of what you definitely should be aware of.

**cairnswm** · 10-12-2004, 04:56 AM

Why doesn't your call to 'GetUser' send an ID through? My initial guess is that it is returning a valid (blank) record.

Unfortunatly I have so far only used the web services with Delphi so I can't really help you with php. Do you have a Delphi Client created that returns the correct information? If so then the problem is definitly lying in your php somewhere.

Harry Hunt: When using SOAP its effectivly a POST with the information stored in the calls data area (as opposed to the command headers).

**M109uk** · 10-12-2004, 08:15 PM

Harry Hunt:
At the moment im only testing the SOAP, but when i have finished with it then each call to update or modify a user will require the users ID and their password (which is MD5 encoded before it is passed to the script and compared to the DBs MD5 password).

Im not too sure what information i will need to get encrypted yet, i probably want the credit information encrypted. I cant encrypt ALL the information because i want the user to be able to view and update their account and profile in their web browser too. I probably want the users Credit account encrypted so that they or other users or hackers can not mess with the amount of credits, etc. But i probably dont if this is too important at the moment because the credits are not real money or anything just a form of keeping the play/use time up, and to get updates and other features for the app/game.

Im not sure encrypting the other information would be required because the information will be displayed in HTML when the user wants to view their stats and profile out of the game/app.

As for setting the global register, im not sure if i can turn it on or off cause its on another server and they dont give the option, but i will remember to turn it off when i get my own server up and running.

Cairnswm:
I will update my test app later when i get back and let you know. Im hoping its a code problem otherwise im lost :lol:.

Im not great using PHP, i'v pretty much only used it with choosing which page to display and MySQL. The simple stuff :lol: i'l have another look on the web too, maybe i have to initialize an array type or something?!

Another question, would it be better or easier to use an ISAPI than a CGI?
Of course im aware that the DLL has to be unloaded before it can be updated and all, but will using an ISAPI over a period of time course problems or anything. And of course i will probably need to update it at some point, so that will probably cause problems if i cant unload it.. So not sure would be the better option?!?

**M109uk** · 10-12-2004, 09:09 PM

Ah i tested using my Client app and it worked fine, but i was still getting the problems in PHP so i tested a few random print functions in PHP, and found out that the data was in the the variable how ever it was a multiple array, and i had to access it like:

Code:

<?php
  require_once&#40;'nusoap/lib/nusoap.php'&#41;;

  $soapclient = new soapclient&#40;'http&#58;//localhost/cgi-bin/XShell.exe/wsdl/IXShellService', 'wsdl'&#41;;
  $user = $soapclient->call&#40;'GetUser', $parameters&#41;;
  echo 'Username&#58; <b>' . $user&#91;TXShellUser&#93;&#91;Username&#93; . '</b><br>';
  echo 'Password&#58; <b>' . $user&#91;TXShellUser&#93;&#91;Password&#93; . '</b><br>';
  echo 'XSID&#58; <b>' . $user&#91;TXShellUser&#93;&#91;XSID&#93; . '</b><br>';
  echo 'ID&#58; <b>' . $user&#91;TXShellUser&#93;&#91;ID&#93; . '</b><br>';
?>

Of course TXShellUser is the resulting class and the second are the propertise

lol just awaiting the next lot of problems

Moderation Process Reminder

Thread: Online DB content

Thread Tools

Display