<?php $host = 'localhost'; $user = 'bla'; $pass = 'bla'; $db = 'opendiet';

1. <?php
2. $host = 'localhost';
3. $user = 'bla';
4. $pass = 'bla';
5. $db = 'opendiet';
6.  
7. if (isset($_POST['api_key']))
8. $api_key = $_POST['api_key'];
9. else
10. send_error_response('You need to provide your api key');
11. if (isset($_POST['api_sig']))
12. $api_sig = $_POST['api_sig'];
13. else
14. send_error_response('You need sign your calls');
15. if (isset($_POST['session']))
16. $session = $_POST['session'];
17. if (isset($_POST['request']))
18. $request = $_POST['request'];
19. else
20. send_error_response('You have to provide a request');
21. try {
22. $conn = new PDO('mysql:host='.$host.';dbname='.$db.';charset=UTF-8', $user, $pass);
23. $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
24. } catch (PDOException $ex) {
25. send_error_response('Failed to connect to MySQL: ' . $ex->getMessage());
26. }
27. if(!check_sig())
28. send_error_response('Invalid signature');
29. if($request === 'update' || $request === 'add') {
30. if(!isset($session))
31. send_error_response('You need to provide a session for write calls');
32. else if(!checkSession($_POST['api_key'], $_POST['session']))
33. send_error_response("Invalid session");
34. }
35. process_response();
36. function process_response() {
37. global $request, $api_key, $conn;
38. switch($request) {
39. case 'auth':
40. $token = uniqid();
41. try {
42. $stmt = $conn->prepare("UPDATE applications SET token = ? WHERE api_key = ?");
43. $stmt->execute(array($token, $api_key));
44. send_token_response($token);
45. } catch (PDOException $ex) {
46. send_error_response("MySQL error: " . $ex->getMessage());
47. }
48. break;
49. case 'session':
50. if(isset($_POST['token']))
51. session($_POST['token']);
52. else
53. send_error_response('You have to provide a token in order to obtain a session');
54. break;
55. case 'check_session':
56. if(isset($_POST['session']) && checkSession($api_key, $_POST['session']))
57. send_session_response($_POST['session']);
58. else send_error_response('Invalid session');
59. break;
60. case 'search':
61. if(isset($_POST['query']))
62. search($_POST['query']);
63. else
64. send_error_response('You have to provide a search query for the food you are looking for');
65. break;
66. case 'update':
67. if(isset($_POST['id'])) {
68. update($_POST['id']);
69. }
70. else
71. send_error_response("You have to provide a valid integer >= 0 as the parameter id for update");
72. break;
73. case 'add':
74. if(isset($_POST['data']))
75. add($_POST['data']);
76. else
77. send_error_response("You did not provide any data to add");
78. break;
79. default:
80. send_error_response('Undefined request');
81. }
82. }
83. function send_token_response($token) {
84. global $api_key;
85. $data = array('api_key'=>$api_key,'token'=>$token);
86. send_json_response($data);
87. }
88. function send_session_response($session) {
89. global $api_key;
90. $data = array('api_key'=>$api_key,'session'=>$session);
91. send_json_response($data);
92. }
93. function add($data) {
94. global $api_key, $conn;
95. $data = json_decode($data, true);
96. if(count($data) != 9)
97. send_error_response("You have to provide all information for the food");
98. $data['name'] = trim($data['name']);
99. $hash = md5($data['name'] . $data['category'] . $data['brand']);
100. try {
101. $stmt = $conn->prepare("SELECT * FROM food WHERE hash = ?");
102. $stmt->execute(array($hash));
103. if(count($stmt->fetchAll(PDO::FETCH_ASSOC)) > 0)
104. send_error_response("A food extactly like this already exists. Please use update");
105. } catch (PDOException $ex) {
106. send_error_response("MySQL error: " . $ex->getMessage());
107. }
108. try {
109. $stmt = $conn->prepare("INSERT INTO food (name, carbs, fat, protein, alcohol, serving, serving_type, category, api_key, hash, brand)
110. VALUES(:name, :carbs, :fat, :protein, :alcohol, :serving, :serving_type, :category, :api_key, :hash, :brand)");
111. foreach ($data as $key=>$value) {
112. if($key === 'serving_type' || $key === 'category')
113. $stmt->bindValue(':'.$key, $value, PDO::PARAM_INT);
114. else
115. $stmt->bindValue(':'.$key, strval($value), PDO::PARAM_STR);
116. }
117. $stmt->bindValue(':api_key', $api_key);
118. $stmt->bindValue(':hash', $hash);
119. $stmt->debugDumpParams();
120. $stmt->execute();
121. send_ok_response();
122. } catch (PDOException $ex) {
123. send_error_response("MySQL error: " . $ex->getMessage());
124. }
125. }
126. function update($id) {
127. $whitelist = array("name","carbs","fat","protein","alcohol","serving","serving_type","category","brand");
128. global $api_key, $conn;
129. if(!ctype_digit($id))
130. send_error_response("You have to provide a valid integer >= 0 as the parameter id for update");
131. $query = "UPDATE food SET ";
132. if(!isset($_POST['data']))
133. send_error_response("You have to provide data that should be updated");
134. $data = json_decode($_POST['data'], true);
135. foreach ($data as $key=>$value) {
136. if(!in_array($key, $whitelist))
137. send_error_response($key . "isn't a valid key");
138. $query .= $key . ' = :' . $key . ' , ';
139. }
140. $query .= "api_key = :api_key WHERE id = :id";
141. $stmt = $conn->prepare($query);
142. $stmt->bindValue(':api_key', $api_key, PDO::PARAM_STR);
143. $stmt->bindValue(':id', $id, PDO::PARAM_INT);
144. try {
145. $stmt = $conn->prepare($query);
146. foreach ($data as $key=>$value) {
147. if($key === 'serving_type' || $key === 'category')
148. $stmt->bindValue(':' . $key, $value, PDO::PARAM_INT);
149. else
150. $stmt->bindValue(':' . $key, $value, PDO::PARAM_STR);
151. echo($key . ", ");
152. }
153. echo($count);
154. $stmt->debugDumpParams();
155. $stmt->execute();
156. send_ok_response();
157. } catch (PDOException $ex) {
158. send_error_response("MySQL error: " . $ex->getMessage());
159. }
160. }
161. function send_ok_response() {
162. die("All ok");
163. }
164. function session($token) {
165. global $api_key, $conn;
166. try {
167. $stmt = $conn->prepare("SELECT token FROM applications WHERE api_key = ?");
168. $stmt->execute(array($api_key));
169. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
170. if(count($rows)!= 1)
171. send_error_response('Internal server error');
172. if($token !== $rows[0]['token'])
173. send_error_response('Invalid token');
174. $session = str_replace('.', 'f', uniqid('', true));
175. $query = "UPDATE applications SET token = null";
176. $conn->exec($query);
177. $stmt = $conn->prepare("INSERT INTO sessions (api_key, session) VALUES (?, ?)");
178. $stmt->execute(array($api_key, $session));
179. send_session_response($session);
180. } catch (PDOException $ex) {
181. send_error_response("MySQL error: " . $ex->getMessage());
182. }
183. }
184. function search($query) {
185. global $conn;
186. $search_query = strtolower(trim($query));
187. $search_keywords = explode(' ', $search_query);
188. if(count($search_keywords) < 1)
189. send_error_response('You have to provide a search query for the food you are looking for');
190. $prepared_query = "SELECT * FROM food WHERE ";
191. $params = array();
192. for($i=0; $i < count($search_keywords); $i++) {
193. $prepared_query .= "LCASE(name) LIKE ? ";
194. if(($i + 1) < count($search_keywords))
195. $prepared_query .= "OR ";
196. $search_keywords[$i] = '%' . $search_keywords[$i] . '%';
197. }
198. $prepared_query .= "ORDER BY name";
199. try {
200. $stmt =$conn->prepare($prepared_query);
201. $stmt->execute($search_keywords);
202. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
203. send_search_response($rows);
204. } catch (PDOException $ex) {
205. send_error_response("MySQL error: " . $ex->getMessage());
206. }
207. }
208.  
209. function send_json_response($data) {
210. header('Content-type : application/json');
211. echo json_encode($data);
212. }
213. function send_search_response($result) {
214. send_json_response($result);
215. }
216. function check_sig() {
217. global $api_key, $api_sig, $conn;
218. $sorted_parms = $_POST;
219. ksort($sorted_parms);
220. $parm_string = '';
221. foreach ($sorted_parms as $key=>$value)
222. if($key !== 'api_sig')
223. $parm_string .= $key.$value;
224. if(!preg_match("/^[a-f0-9]{23}$/", $api_key))
225. send_error_response('Invalid api key format');
226. try {
227. $stmt = $conn->prepare("SELECT api_secret FROM applications WHERE api_key = ?");
228. $stmt->execute(array($api_key));
229. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
230. if(count($rows) != 1 || empty($rows[0]['api_secret']))
231. send_error_response('Internal server error');
232. $parm_string .= $rows[0]['api_secret'];
233. $hash = md5($parm_string);
234. return $hash === $api_sig;
235. } catch (PDOException $ex) {
236. send_error_response("MySQL error: " . $ex->getMessage());
237. }
238. }
239.  
240. function send_error_response ($message) {
241. header("HTTP/1.0 400 Bad Request");
242. die($message);
243. }
244. function checkSession($api_key, $session) {
245. global $conn;
246. try {
247. $stmt = $conn->prepare("SELECT api_key FROM sessions WHERE session = ?");
248. $stmt->execute(array($session));
249. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
250. for($i = 0; $i < count($rows); $i++) {
251. if($rows[$i]['api_key'] === $api_key)
252. return true;
253. }
254. } catch (PDOException $ex) {
255. send_error_response("MySQL error: " . $ex->getMessage());
256. }
257. }
258. ?>