Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Dec 2018
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Log In from custom API to my website using Wordpress built-in authenticate hook

    I'm creating an API using Unity(C#) to authenticate users in my website's database. My website is running Wordpress, which allows me to call certain hooks such-as: apply_filters( 'authenticate', null, $username, $password );

    --->Wordpress authenticate hook documentation<---

    Now here's the thing; I'm communicating with my PHP files using a URL sent by my C# program. I have read that I can call a function using the URL but it is a terrible idea because it allows anyone to access all of the other functions as-well(makes sense to me, they could just simply change the function name and the file access remains).


    The question: How do I securely call a function within a PHP file(server-side) from a C# API(client-side)? I thought it would probably be a good idea to use another PHP script as a 'middle man' between the client and the wordpress functions file. That way the client isn't interacting directly with the entire "warehouse of functions" and instead just the "doorman" and later I could make the "doorman" spot suspicious requests.


    Anyway, here's the Authorize code that's called by the 'Log In' button:

    Code:
        
        public MD5 md5;
        private string url = "www.yourmomgoestocollege.com/wp-includes/TryLogin.php?";
        private string post_url;
        private WWW userresults;
    
    
    public IEnumerator Authorize(WWW userresults, string username, string password)//authorizes account to log in
        {
            // replace php path  with  the address to the php file
            post_url = url + "&username=" + WWW.EscapeURL(username) + "&password=" + password;
    
    
            // Post the URL to the site and create a download object to get the result.
            WWW www = new WWW(post_url);
            yield return www; // Wait until the download is done
            if (www.error != null)
            {
                Debug.Log("ERRORS");
            }
            if (userresults != null)
            {
                Debug.Log("Success");
            }
            if (userresults == null)
            {
                Debug.Log("Wrong");
            }
            if (www.error == null)
            {
                //no errors
            }
        }

  2. #2
    Regular Coder
    Join Date
    Sep 2014
    Posts
    314
    Thanks
    1
    Thanked 55 Times in 53 Posts
    First, the client side code can only be javascript, html and css. Your C code, public IEnumerator Authorize runs in the server. See the <asp:whatever runat='server' >.That means that the communication between your c# code and php is not visible to your user (the one driving the browser). If you are worried of somebody posting request to your php, you can always validate the requesting ip. If you don't recognize the ip, then just ignore the request.

    I am not familiar with WWW class and the yield statement. My worry is that if you send a request to another server, that request could be asynchronous. That means the request will exit once the request is done, before the remote server responds. Normally, for asynchronous processing, you provide a callback (delegate) that will be called when the request completes.

  3. #3
    New to the CF scene
    Join Date
    Dec 2018
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    My program is being accessed using a program on the PC and not on a Web Browser.

    "First, the client side code can only be javascript, html and css."

    My understanding is that 'client-side' refers to the code running on the PC(or whatever device the Human is using[in my case, it's a program on the PC]) and 'server-side' is the code that's running on the server(such-as php files, html files, css files...etc.).


    Let me know if I'm misunderstanding.


    Here is the information that I have learned about Unity:

    Unity offers the developer 2 languages, C# and Javascript to write the scripts that run your program. This is compiled into what is known as 'Unityscript' which is really a form of Javascript. WWW is unique to Unity and is used to access web pages.


    "<asp:whatever runat='server' >" is not in my code. I'm not sure what you mean here.


    "If you are worried of somebody posting request to your php, you can always validate the requesting ip. If you don't recognize the ip, then just ignore the request."

    The thing is, I'm using a built-in wordpress php file that has a bunch of different functions(some are dangerous to run and some are harmless) all in the same file. I'm trying to call one function from this file, but my fear is that someone alters the request to call a dangerous function instead. I don't want to alter the file because it is a built-in piece of wordpress. I just want to call a function using the WWW url request.





    ************************************************

  4. #4
    Regular Coder
    Join Date
    Sep 2014
    Posts
    314
    Thanks
    1
    Thanked 55 Times in 53 Posts
    My understanding is that 'client-side' refers to the code running on the PC(or whatever device the Human is using[in my case, it's a program on the PC]) and 'server-side' is the code that's running on the server(such-as php files, html files, css files...etc.).

    Let me know if I'm misunderstanding.
    You are probably right. My apologies. I misunderstood your requirement.


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •