|
Author |
Thread Statistics | Show CCP posts - 9 post(s) |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.20 16:50:00 -
[1]
Edited by: Popsikle on 20/06/2007 16:54:10
Originally by: Rhysheline For those that like to use php instead of python, here is a code snipet that should allow you to connect, post, and get data back. Parsing is left for another day
And here is a non curl snippet!
Quote:
$auth = "userID=youruserid"; $auth .= "&apiKey=yourapikey"; $auth .= "&characterID=charid";
$head = "POST /char/CharacterSheet.xml.aspx HTTP/1.0\r\n"; $head .= "Host: api.eve-online.com\r\n"; $head .= "Content-Type: application/x-www-form-urlencoded\r\n"; $head .= "Content-Length: " . strlen($auth) . "\r\n"; $head .= "Connection: close\r\n\r\n"; $fp = fsockopen ('api.eve-online.com', 80, $errno, $errstr, 30);
if (!$fp) { echo 'fsock failed; damn muppets! '.$errstr; exit(); }
fputs($fp, $head); fputs($fp, $auth); $data=''; while (!feof($fp)) { $data.=fgets($fp,128); } fclose ($fp); echo $data;
____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.21 01:01:00 -
[2]
Originally by: DeTox MinRohim Edited by: DeTox MinRohim on 21/06/2007 00:05:39
Originally by: Popsikle
And here is a non curl snippet!
You're late mate Linkage
But yours is at its simplest form so all good (And better for the comprehension)
Lol, I totally missed that post ;p ____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.21 16:35:00 -
[3]
Originally by: CrazyIvan Edited by: CrazyIvan on 21/06/2007 15:55:41 This is great I really like the new data exports. (I slapped together a php script that gets the data so far, now to write something that does something useful with it.)
However I'd like to note, I noticed on the 'my character' page, that the data exports are now there but are using 'GET' instead of 'POST' to pass the authentication keys.
This is a security risk for users that don't realize those 'GET' addresses contains their private keys, they might copy/paste that address to some place public (del.icio.us for example).
CCP should change those links from 'GET' Links to form 'POST's to mask the keys. (and prolly not accept 'GET's at all, only accept 'POST')
for example, change: <a href='http://api.eve-online.com/char/WalletJournal.csv.aspx?userID=xxx&apiKey=xx&characterID=xx'>Wallet Journal</a>
to
<form action='http://api.eve-online.com/char/WalletJournal.csv.aspx' method='post'> <input type='hidden' name='userID' value='xxxx'> <input type='hidden' name='apiKey' value='xxxx'> <input type='hidden' name='characterID' value='xxxx'> <input type='hidden' name='accountKey' value='xxxx'> <input type='submit' name='Wallet Journal' value='Wallet Journal'> </form>
or something similar.. just change the url links to forms..
just my two cents.
Garthagk said a few times he will be removing the get's. They are there because tis alot easier for us to debug that way ;)
____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.25 01:00:00 -
[4]
Originally by: Tonto Auri
Originally by: Jaabaa 2) The characters list.
The characters on an account "/account/Characters.xml.aspx" should only be accessible with the full key. It might even be a better idea to have a limited key per character, so that people can't guess at (and confirm) your alts on an account.
It is absolutely NOT need. Small tool to convert char name to charID (or even accept charname instead of charID) will be enough.
/account/Characters.xml.aspx - IS A SECURITY VIOLATION AND MUST BE REMOVED
If you dont want to give anyone that access, dont give them your api key. I know most corps will require the api key before you are trusted with intel (forums) and this goes a long way in preventing spies ;)
If you dont want people to know, dont give them your key. Its no different then the access you give EVEMon now (username/password can be used to find all accounts too) ____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.25 01:01:00 -
[5]
Originally by: Jaabaa Edited by: Jaabaa on 25/06/2007 00:14:49 My security concerns with the new API.
1) The Wallet.
Why bother adding "/char/AccountBalance.xml.aspx" which requires the Full API Key, when you can get this with the limited key in "/char/CharacterSheet.xml.aspx" as taken from the example <balance>190210393.87</balance> ? Surely this is not anyone else's business.
Again, the balance is displayed on tools like evemon. And if you dont want someone to know that info, dont give the key out. ____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
Popsikle
Minmatar Shadows of the Dead Aftermath Alliance
|
Posted - 2007.06.26 00:01:00 -
[6]
Originally by: Scorpyn Let's see... one code to get access to everything? Did I understand that correctly?
If so, why not split it up into smaller parts? Like 1 code to view what characters are on a specific account, 1 code to see the skill list (perhaps this could be even more specific by only specifying certain skills or skillgroups), 1 code to see the wallet, 1 for corp wallet etc...
There are two codes.
1.) Char list and Skill sheets for all your chars. 2.) everything else.
Never give either code to anyone you dont trust 100% and never give code number 2 out at all! ____
<t20> i want to be in a manager potition at Hooters <SaraDawn> Garthagk, do you have it up ? <Garthagk> I can get it up anytime. |
|
|
|